Additional Study Topics: Utilities | Groups | Migration Issues | RIS
I.
Creating a
Group Policy object
A. Introduction
to GPOs
1. Collection
of common configurations that can be applied to:
a. Users
b. Computers
c. Groups
of users
d. Groups
of computers
2. Each
GPO can consist of:
a. Software
settings
b. Windows
settings
c. Administrative
templates
3. Provides
dynamic control of all users and computers on the network
a. GPOs
are only compatible with Windows 2000 Professional desktops.
b. Windows
NT 4.0 and Windows 9x desktops have to be configured using the system policy editor.
4. Software
settings
a. Allow
distribution of software packages to specific users and/or computers within the network
b. Automatic
installation of software with no user interface needed
5. Windows
settings
a. The
most powerful of all settings with the GPO
b. Allows
configuration of various items, including:
i.
Restricted
user groups
ii.
Enforce
startup/shutdown scripts
iii.
System
services
iv.
Registry
settings
v.
Public key
policies, such as Encrypting File System (EFS) recovery agents
vi.
IP Security
(IPSec) policies
vii.
Other local
security settings (such as event log settings, audit and account policies, and user rights
assignments)
c. Administrative
templates
i.
Allow direct
manipulation of registry settings
ii.
Allow for
control of users and computers that is not granted under other GPOs
iii.
Can be
customized to modify virtually any registry setting within the network
B. Deciding
where to apply a GPO in the organizational unit (OU) structure
1. Three
major factors and places for assignment
a. Assigning
GPOs based on a location such as a site, domain, or OU
b. Filtering
the assignment of GPOs using security groups
c. Modifying
the inheritance of a GPO by using the Block Policy Inheritance and No Override switches
for Group Policies
2. Best
practices
a. Disable
unused parts of the GPO for faster processing and application of the GPOs
b. Use
Block Policy Inheritance sparingly to avoid confusion
c. Use
No Override sparingly to avoid confusion
d. Minimize
use of GPOs when possible to allow for faster logons
C. How to create a
policy
1. Group
Policy MMC snap-in
2. Not
placed in the administrative tools by default
a. Launch
MMC from the Run command
b. Add
Group Policy snap-in
c. Select
the specific GPO you want to manage
i.
Default
configured to select the local GPO
ii.
Can browse
through domain to select the desired GPO
iii.
New GPOs
created at this point as well
II.
Linking an
existing Group Policy object
A. Allows a
GPO to be used within a specific area
1. Domain
2. Organizational
unit
3. Site
4. The
GPO, once linked, can be configured to apply to all or part of the assigned area.
B. Overview of
GPO location in Active Directory
1. All
GPOs logically reside within the container in which they are created.
2. Physically
all GPOs exist within the Policies folder of the system root.
C. How to link a GPO
1. GPOs
are managed and applied through the Group Policies MMC snap-in.
2. Once
an GPO is created, it can be applied to any other object within Active Directory
III.
Delegating
administrative control of a Group Policy
A. Why
delegate control?
1. Used
to maintain strict control of who can modify policy objects
2. Necessary
in organizations with large or diverse group of administration teams
B. How to
delegate control
1. Managed
through the Security tab of all GPOs
a. All
authenticated users need read and apply permissions to be able to use the GPO.
b. Administrators
need permissions to actually modify the object.
IV.
Modifying Group
Policy inheritance
A. Application
of GPOs
1. Inheritance
in the acceptance of GPO settings as designated by Group Policies assigned higher in the
chain of Group Policy processing
2. Group
Policies are always assigned from the top down.
3. When
multiple GPOs exist for a specific item, they will be applied with a bottom-to-top
configuration instead.
4. All
sections within the computer configuration are applied first, including the logon scripts,
before the user configuration is applied.
5. When
computer and user settings conflict, the computer settings normally prevail.
6. LSDOU:
Acronym that can be used to remember the processing order of all GPOs in the domain
a. Local
computer
b. Site
c. Domain
d. Organizational
unit
B. What is
inheritance?
1. Block
Policy Inheritance
a. Can
be set on all site, domain, or OU objects on the Group Policy tab
b. All
policies applied higher in the organization will be ignored by this object and everything
directly beneath it.
2. No
Override
a. Specific
to only a specific GPO
b. Specifies
that all settings within the GPO cannot be overridden by any other GPO applied higher in
the chain
c. In
cases in which No Override and Block Policy Inheritance collide, No Override will prevail
and all assigned configuration changes of the GPO will be assigned to the object in
question.
C. Changing GPO
inheritance
a. In
Active Directory, users and computers select the Domain Controller object in question
b. In
the domain controller’s Properties window, choose Block Policy Inheritance
V.
Filtering Group
Policy settings
A. Why filter
a GPO?
1. Allows
application of GPO to specific users or computers
2. Systems
from multiple OUs can be chosen without affecting all the other systems within the OU.
3. Systems
or users desired by the selection are added to a security group.
a. Should
be added to only one of the two systems or users
b. Security
group should be named in such a matter that its intent is clearly understood.
4. The
security group is given permission to the GPO, and the “Authenticated Users
group” should be removed.
B. How to
apply a filter to a GPO
1. Very
similar to the process used to assign NTFS permissions to a folder or file
2. Perform
Exercise 6-5 on page 308 of the text
VI.
Modifying Group
Policies
Group Policies
can be modified through one of two sections: Computer Configuration or User Configuration.
Each of these configuration screens contain three main folders as well: Software Settings,
Windows Settings, and Administrate Templates.
A. Changing
the policy
1. Group
Policy MMC
a. Any
existing MMC can be opened within the domain (permissions allowing).
b. A new
GPO can be created during this process as well.
2. All
objects can be defined or non-defined.
a. Defined:
Provides configuration to the system during application
b. Non-defined:
No configuration information stored within the GPO for the setting
i.
Not
synonymous with disabled
ii.
Disabled
should only be used to actively turn a selection off, from its normal state of on or
enabled.
iii.
Configuring
enabled or disabled causes system time to implement selection.
iv.
Should always
use non-defined for objects when possible
3. Parts
of a GPO can be disabled en masse through the General Properties tab of the GPO.
a. Disable
Computer Configuration settings
b. Disable
User Configuration settings
B. Deleting a
GPO
1. Active
Directory Users and Computers administrative tool
2. Properties
of the domain object
VII.
Controlling the
user environment using administrative templates
Administrative
templates provide more control of the user and system environments. Similar to GPO,
administrative templates (ATs) allow for modification of almost any registry entry that
exists within the Windows 2000 operating system.
A. Scope of
control
1. ATs
are basically scripts that modify the registry of a system when a user logs on to the
system.
a. All
changes made to the registry are temporary.
b. Changes
are removed when the user logs off.
2. Registry
modifications are limited to two keys (however, they are the most commonly configured keys
anyway).
a. HKEY_CURRENT_USER
– contains all aspects of desktop and user settings.
b. HKEY_LOCAL_MACHINE
– contains all software configuration.
B. Creating
and importing a custom AT
1. All
custom files created need to have the .ADM extension
2. Saved
to the %SystemRoot%\INF folder
3. Add
template through Users and Computers
VIII.
Assigning
script policies to users and computers
New to Windows
2000 is the ability to assign logon scripts to users and computers as well as assigning
scripts to run during logoff.
A. Set through
GPO
1. Subject
to processing sequence of GPO
a. LSDOU
b. System
processed before user
c. Process
reversed when running shutdown scripts
B. User
scripts: Standard scripts which have been around since the days of DOS and LAN Manager
1. Attached
to specific users within the organization
2. Run
on all systems to which the user connects
3. Run
during logon and logoff process
C. Computer scripts:
New to Windows 2000 and will only work with Windows 2000 client machines
1. Attached
to specific system
2. Run
no matter who logs onto the system
3. Run
during logon and logoff process