Chapter 9 Slides
Download
Report
Transcript Chapter 9 Slides
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
Goals
Introduce Group Policy
Introduce the types of Group Policy settings
and the GPMC
Identify the role of a Group Policy at startup
and logon
Plan a Group Policy implementation
Create a Group Policy Object
Delegate control for a Group Policy Object
9.1
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy
An administrator must monitor user and computer
settings regularly to make sure that they conform to
the corporate standards
Group Policy is the primary Active Directory tool used
by administrators to set the standard behavior for
users’ desktops and to enforce those requirements
9.2
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy (2)
Using Group Policies
Administrators define the work environment settings once
The settings are applicable regardless of the user’s
location
Administrators can apply GPOs to various Active Directory
containers to implement rules at various levels
To do this, you simply link the GPO to one of these
containers
9.3
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy (3)
Group Policy is also referred to as a Group Policy
Object (GPO)
A GPO is a storage place for a collection of Group
Policy settings that enable an administrator to control
various aspects of the computing environment
All Group Policy settings are stored in a GPO along with
the properties associated with the objects in the Active
Directory store
9.4
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy (4)
Policy settings for sites, domains, and organizational
units are stored in GPOs
To create a GPO for a domain or an OU
Use the Active Directory Users and Computers
console
Use the Group Policy Management Console (GPMC)
9.5
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy (5)
To create a GPO for a site
Use the Active Directory Sites and Services console
Use the Group Policy Management Console (GPMC),
which combines the functionality of various consoles
Active Directory Users and Computers
Active Directory Sites and Services
ACL Editor
Delegation Wizard
Resultant Set of Policy tool
9.6
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Figure 9-1 Download the GPMC
9.7
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy (6)
Two types of GPOs
Local GPOs are stored on each Windows Server 2003
computer
Active Directory-based GPOs
Are stored on a domain controller in the Active Directory
environment
Are replicated to all domain controllers in the domain
9.8
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy (7)
GPO is made up of two parts
Group Policy Container (GPC)
GPO attributes
Extensions
Version information
Group Policy Template (GPT)
Collection of folders
Stored on each Windows Server 2003 domain controller
9.9
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy (8)
Group Policy Container (GPC)
An Active Directory component that contains GPO
attributes, extensions, and version information
Domain controllers use this information to make sure
they are using the most recent version of the GPO and
to apply permissions to the GPO
For each GPO, there is a GPC container stored in the
System\Policies folder in the Active Directory Users and
Computers console
Each GPC container is identified by the Globally Unique
Identifier (GUID) for the GPO
9.10
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Figure 9-2 GPC containers in the
Active Directory Users and Computers console
9.11
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy (9)
Group Policy Template (GPT)
A collection of folders stored on each Windows Server
2003 domain controller in the folder
%Systemroot%\SYSVOL\sysvol\<domain_name>\Policies
For each GPO, a folder hierarchy composed of the
physical files and settings required by the GPO is
automatically created
These settings are applied to the Windows 2000,
Windows Server 2003, and Windows XP clients on a
network
9.12
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Introducing Group Policy (10)
Group Policy Template (GPT)
Contains all of the Registry entries, as well as the
associated files and folder required to implement the
various GPO functions
Like the GPC container, the GPT folder is identified by
the GUID for the GPO
9.13
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Figure 9-3 The Add Standalone Snap-in dialog box
9.14
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Figure 9-4 The Group Policy Wizard
9.15
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Figure 9-5 The Add/Remove Snap-in dialog box
9.16
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 1)
Figure 9-6 Configuring Local Computer Policy
9.17
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC
Group Policy settings are divided into two categories
Computer Configuration settings
These settings refer to Group Policies that apply to
computers, regardless of what user logs on
These settings apply to a computer during the
initialization of the operating system
User Configuration settings
These settings refer to Group Policies for users,
regardless of what computer the users log on to
These settings apply at user logon
9.18
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (2)
Both Computer Configuration settings and User
Configuration settings contain three main containers
that include a number of related policies
Software Settings
Windows Settings
Administrative Templates
9.19
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Figure 9-7 The three main categories of User Configuration
and Computer Configuration Group Policy
9.20
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (3)
Software Settings
This configuration setting node is used to determine the
applications distributed to computers or users via a
GPO
You use Software Settings to assign applications to
computers or to assign or publish applications to users
If you use the Computer Configuration node to assign
an application to a computer, the application appears
on the Start menu for all computers in the domain, site,
or OU
9.21
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (4)
Software Settings
If you publish an application to users, it appears in the
Add/Remove Programs Wizard for all users in the
domain, site, or OU
If you assign an application to users using the User
Configuration node
It displays on the Start menu for all users in the site,
domain, or OU
It does not install until the user invokes it
This functionality is called “advertising”
9.22
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Figure 9-8 Software installation
9.23
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (5)
Windows Settings
In the Computer Configuration node, the Windows
Settings node contains the Scripts and Security
Settings extensions
Scripts extension: Used to specify startup and
shutdown scripts for computers, as well as logon and
logoff scripts for users on a network
Security Settings extension: Used by administrators to
configure security settings for the local computer or for
a GPO
9.24
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Figure 9-9 Scripts
9.25
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (6)
Windows Settings
In the User Configuration node, the Windows Settings
node has five folders
Remote Installation Services
Scripts
Security Settings
Internet Explorer Maintenance
Folder Redirection
9.26
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (7)
Windows Settings
Remote Installation Services Group Policies control
the RIS installation options available to the user when
the Client Installation Wizard is initiated
Folder Redirection Group Policies relocate special
folders, such as My Documents, Start Menu, or
Desktop
You can redirect these folders from their default
locations in a user profile to alternate locations
9.27
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Figure 9-10 Types of Folder Redirection policies
9.28
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (8)
Administrative Templates
Contains all Registry-based Group Policy settings,
including settings for Windows Components, System,
and Network
Group Policy settings for Printers are available only in
the Computer Configuration container
Other settings, including Start Menu and Taskbar,
Desktop, Control Panel, and Shared Folders are
available only in the User Configuration container
9.29
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Figure 9-11 Types of Administrative Templates policies
9.30
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (9)
Group Policy Management Console (GPMC)
Comprehensive tool for Group Policy administration for
Windows 2000 and Windows Server 2003 domains
Provides administrators with the ability to backup,
restore, import, and copy/paste GPOs, as well as to
create, delete, and rename them
Use it to link GPOs and search for GPOs
Use it to delegate Group Policy-related features and for
policy-related permission for sites, domains, and OUs
9.31
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Figure 9-12 Group Policy Objects in the GPMC
9.32
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (10)
GPMC installation requirements
Requires Windows Server 2003 or Windows XP Service
Pack 1 or above computers
To run the tool on Windows XP Service pack 1 or above
computers, you must also install the QFE update
Q326469 and the Microsoft .NET Framework
The domain controllers must all be running Windows
2000 Service Pack 2 or later
9.33
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (11)
GPMC requirements for domain controllers
GPMC requires that all LDAP communications be signed
and encrypted
To access domain controllers in an external forest, they
must be running Windows 2000 Service Pack 3 or later
If you want to access domain controllers in an external
forest that are not yet running Service Pack 3 or later,
edit the Registry on the computer running GPMC to relax
LDAP signing and encryption requirements
9.34
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (12)
System Policies
Used in Windows 9.x and Windows NT to change
Registry settings and to control the user environment
Still useful for managing Windows 9x and NT computers
Windows 9.x: you can run the Poledit.exe version on the
Windows 98 installation CD to create config.pol files
Windows NT 4.0 Workstation or Server: use the Windows
NT System Policy Editor or the Poledit.exe included with
Windows Server 2003 to create config.pol files
9.35
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (13)
System Policies
System Policy Editor (Poledit.exe) has been mostly
replaced by Group Policy in Windows 2000 and
Windows Server 2003
If you create policy settings with Windows Server 2003
version, you cannot edit them using the Windows NT
4.0 version
9.36
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Figure 9-13 The System Policy Editor
9.37
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Introducing the Types of Group Policy Settings
and the GPMC (14)
Each of the Group Policy Object Editor extensions is a
MMC snap-in extension itself
All Group Policy setting folders are loaded by default
when Group Policy Object Editor is started
You can create custom consoles for each of these
extensions
Use the Microsoft Management Console folder in the
User Configuration\Administrative Templates container
in the Group Policy Object Editor to apply these
policies
9.38
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 2)
Figure 9-14 The Microsoft Management Console folder
9.39
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon
The role of a Group Policy begins when a computer
starts up or when a user logs on
During startup and logon, both Computer
Configuration and User Configuration settings are
applied in a specific sequence
9.40
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Figure 9-15 The sequence in
which Computer Configuration
and User Configuration settings
are applied
9.41
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (2)
Every computer has one GPO that is stored locally
This local Group Policy Object (LPGO) is applied first
The processing sequence becomes very important
when dealing with multiple policies
If there are no conflicts between the policies, all settings
from all of the policies apply
However, if a conflict occurs the policy to apply last wins
9.42
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (3)
Sequence in which Group Policy settings are
processed
Local GPO
Site GPOs
Domain GPOs
OU GPOs (LSDOU)
9.43
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (4)
If more than one GPO is linked
The policies are processed in reverse order for each
individual container
This is done so that the policy that is considered to be
the most important is displayed at the top of the list of
all GPOs applied to a particular container
9.44
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (5)
Like files and folders, Group Policies are also
inherited from parent containers to child containers
You can specifically set a separate Group Policy
setting for a child container to override the settings it
inherits from its parent container
It is extremely important to note that like OU
structures, Group Policies do not flow between
domains
9.45
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (6)
Group Policy applied to a parent domain
Does not apply to its child domain or domains
The only container that can apply Group Policies to
multiple domains is the site container
Group Policy applied to a site
Affects all users and computers in the site, regardless
of domain
For this reason, you must be an Enterprise Admin in
order to apply a Group Policy to a site
9.46
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (7)
Exceptions to the order in which GPOs are processed
If a computer belongs to a workgroup, it processes
only local GPOs
You can modify the default behavior using the Block
Inheritance option, but this can make GPO
administration more complicated and it should be
used sparingly
You can block inheritance for GPO links for an entire
domain, for all domain controllers, or for an OU
9.47
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Figure 9-16 Blocking Inheritance for the GPO links for all domain controllers
9.48
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (8)
Exceptions to the order in which GPOs are processed
The default order for processing Group policy settings
is also affected when you set the GPO link to Enforced
Policy settings in the GPO link take precedence over
child object settings
Gives the parent GPO link precedence so that the default
behavior does not apply (formerly called the No Override
option)
GPO administration is more complex
GPOs cannot have their inheritance blocked
9.49
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Figure 9-17 The Enforced setting
9.50
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (9)
Exceptions to the order in which GPOs are
processed
If Block Inheritance option is set for a domain or OU
The GPOs above that point in the structure do not affect
users or computers in that structure; they are blocked
If there is a conflict between Enforced and Block
Inheritance, Enforced always wins
9.51
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (10)
Exceptions to the order in which GPOs are processed
You can disable a GPO link to block that GPO from
being applied for the selected site, domain, or OU
Disables the GPO only for the selected container object; it does
not disable the GPO itself
If the GPO is linked to other sites, domains, or OUs, they
continue to process the GPO as long as their links are enabled
Processing is enabled for all GPO links by default
To disable a GPO link, right-click it and select the Link Enabled
command (a check mark indicates it is enabled)
9.52
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Figure 9-18 The Link Enabled command
9.53
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (11)
Exceptions to the order in which GPOs are processed
When GPOs are linked to the same container, policies
are evaluated based on the link order set on the Linked
Group Policy Objects tab for the container object
The policy settings in the GPO with the lowest link order
(Link Order 1) are processed last
Link Order 1 has the highest precedence and is used to
settle a conflict
Use the arrow buttons to change the link order
9.54
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (12)
Exceptions to the order in which GPOs are processed
Group Policies are never applied to Windows NT, 95,
98, or Windows Me computers
9.55
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (13)
User Group Policy loopback processing mode
This policy is referred to as the loopback feature
Enforced when both the user account and the
computer account are members of a Windows 2000
or later domain
You can configure loopback so that the User
Configuration settings in GPOs are applied to every
user logging on to that computer
9.56
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Figure 9-19 The User Group Policy loopback processing mode policy
9.57
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Identifying the Role of a Group Policy
at Startup and Logon (14)
User Group Policy loopback processing mode
In Merge mode, the Computer Configuration GPO settings
are appended to the default list of GPOs
In Replace mode, the User Configuration GPO settings are
completely replaced by the Computer Configuration GPO
settings
9.58
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 3)
Figure 9-20 Merge or Replace mode
9.59
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 4)
Planning a Group Policy Implementation
After you decide on a Group Policy setting design,
you devise a Group Policy implementation strategy
Factors to consider
Location of GPOs
Delegation of authority
Organization structure
9.60
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 4)
Planning a Group Policy Implementation (2)
Types of Group Policy implementation strategies
Centralized GPO design
An organization’s network is maintained by a small
number of large GPOs
Decentralized GPO design
Uses separate GPOs for specific policy settings
9.61
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 4)
Planning a Group Policy Implementation (3)
Types of Group Policy implementation strategies
Functional Role (or Team Design)
Functional roles of users are considered to apply
Group Policies
Steps to implement this strategy
Create an OU structure that corresponds to the actual
team structure of your organization
Create a customized GPO for each OU that is tailored to
the needs of the OU
9.62
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 4)
Planning a Group Policy Implementation (4)
Types of Group Policy implementation strategies
Delegation with Central Control Design or Distributed
Control Design
Based on delegating administrative control over OUs to
various administrators in an organization
When you implement this strategy, you maintain
centralized control while distributing managerial control
to a number of OU administrators
9.63
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 4)
Planning a Group Policy Implementation (5)
Regardless of which approach (or combination) you
choose, it is important to try to avoid using certain
tools and options
Enforced and Block Inheritance options
Filtering
Troubleshooting GPOs can be very difficult when
these tools are used
9.64
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 5)
Creating a Group Policy Object
When you install Active Directory on your network, two
GPOs are created automatically
Default Domain Policy, which is linked to the domain
Default Domain Controllers Policy, which is linked to the
Domain Controllers OU
You can use these policies to assign standard settings
to the domain and the domain controllers in a domain,
respectively
9.65
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 5)
Creating a Group Policy Object (2)
GPOs can be linked to sites, domains, and OUs
To link a GPO to a site, use the Active Directory Sites
and Services console or the GPMC
To link GPOs to domains and OUs, use either the
Active Directory Users and Computers console or the
GPMC
9.66
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 5)
Creating a Group Policy Object (3)
You can create a stand-alone GPO console for a
GPO and access it directly from the All
Programs/Administrative Tools menu
Steps to create a GPO console
1. Open Add Standalone Snap-in dialog box from an
MMC console
2. Select Group Policy Object Editor from the list of
available snap-ins
9.67
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 5)
Creating a Group Policy Object (4)
Steps to create a GPO console
3. Click the Browse button in the Group Policy Wizard
4. In the Browse for a Group Policy Object dialog box,
select the GPO for which you want to create a console
The selected GPO name is added to the Group Policy
Object text box on the Select Group Policy Object
screen in the wizard
3. From the File menu, save the console for the GPO to
make it available on the All Programs/Administrative
Tools menu
9.68
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 5)
Figure 9-21 Creating a GPO
9.69
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 5)
Figure 9-22 The New GPO dialog box
9.70
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 5)
Figure 9-23 New Group Policy Object in a domain
9.71
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 6)
Delegating Control for a Group Policy Object
Assign permissions to delegate administrative
control over a GPO on the Delegation tab in the
GPMC
There are three standard permissions you can
assign to a GPO
However, five permission levels display on the
Delegation tab
Each of these permission levels represents a
combination of Active Directory permissions
9.72
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 6)
Delegating Control for a Group Policy Object (2)
To delegate permissions for a GPO, you must have
the Edit settings, delete, and modify security
permission for the GPO
To view the permissions for groups with custom
permissions or to set custom permissions, click the
Advanced button to open the ACL Editor for the GPO
(<GPO_name> Security Settings dialog box)
9.73
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 6)
Delegating Control for a Group Policy Object (3)
You must assign the Edit settings, delete, and modify
security permission to at least one group or user for
each GPO
If there is only one user or group with this permission
level, you cannot remove this user or group
Permissions inherited from parent containers cannot
be removed
9.74
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 6)
Delegating Control for a Group Policy Object (4)
To change the permissions assigned to a user or
group
Right-click the user or group in the Groups and
users box
Select from the three standard permissions on the
context menu
You can also use the Remove command to
remove a user or group from the Groups and users
box
9.75
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 6)
Figure 9-24 Setting GPO permissions
9.76
© 2004 Pearson Education, Inc.
Exam 70-294 Planning, Implementing, and Maintaining
a Microsoft Windows Server 2003 Active Directory Infrastructure
Lesson 9: Implementing Group Policy
(Skill 6)
Figure 9-25 The Delegation tab in the GPMC
9.77
© 2004 Pearson Education, Inc.