Chapter 6: Implementing Group Policy (Presentation)
Chapter 6: Implementing Group Policy (Presentation)
Chapter 6: Implementing Group Policy (Presentation)
GPO2
Domain
Site
GPO3
OU1 OU2
GPO4
Registry-based Policy
Security Settings
Software Restrictions
Software Distribution and Installation
Computer and User Scripts
Roaming User Profiles and Redirected Folders
Offline Folders
Internet Explorer Maintenance
The most common and the easiest way to
provide policy for an application or operating
system components is to implement registry-
based policy.
With the new Group Policy Management
Console (GPMC) and the Group Policy Object
Editor, administrators can define registry-
based policies for applications, the operating
system, and its components.
Example: an administrator can enable a
policy setting that removes the Run
command from the Start menu for all
affected users.
Registry based policy edit the operating
system registry setting.
Group Policy provides options for
administrators to set security options for
computers and users within the scope of a
GPO.
Local computer, domain, and network
security settings can be specified.
For added protection, administrators can
apply software restriction policies that
prevent users from running files based on the
path, URL zone, or publisher criteria.
Administrators can make exceptions to this
default security level by creating rules for
specific software.
To defend against viruses, unwanted
applications, and attacks on computers
running Windows XP and Windows Server
2003, Group Policy includes new software
restriction policies.
Administrators can use policies to identify
software running in a domain and control its
ability to execute.
Administrators can manage application
installation, updates, and removal centrally
with Group Policy.
Because organizations can deploy and
manage customized desktop configurations,
they spend less money supporting users on
an individual basis.
Software can be either assigned to users or
computers (mandatory software distribution)
or published to users (allowing users to
optional install software through
Add/Remove Programs in the Control Panel).
Users get the flexibility they need to do their
jobs without having to spend time
configuring their system on their own.
Administrators can use scripts to automate
tasks at computer startup and shutdown and
user logon and logoff.
Any language supported by Windows
Scripting Host can be used, including the
Microsoft Visual Basic® development system,
Scripting Edition (VBScript); JavaScript;
PERL; and MS-DOS®-style batch files (.bat
and .cmd).
Roaming user profiles provide the ability to store
user profiles centrally on a server and load them
when a user logs on.
Through folder redirection, important user
folders, such as the My Documents and Start
menu, can be redirected to a server-based
location.
Folder redirection allows centralized
management and the capability to easily backup
and restore these folders.
When a network is unavailable, the Offline
Folders feature provides access to network files
and folders from a local disk.
Users are assured access to critical information
even when network connections are unstable or
nonpermanent or when using a mobile
computer.
When users reconnect to their network, the
client files and server files are synchronized,
thereby keeping versions consistent and up-to-
date.
Administrators can manage and customize
the configuration of Microsoft Internet
Explorer on computers that support Group
Policy.
The Group Policy Object Editor includes the
Internet Explorer Maintenance node, which
administrators use to edit Internet Explorer
security zones, privacy settings, and other
parameters on a computer.
Group Policy Operations are collection of
Group Policy settings.
To create a specific desktop configuration for
users, you create Group Policy Operations.
Each computer running Microsoft Windows
Server 2003 has:
One Local GPO
Any number of Non-Local GPOs
One local GPO is stored on each computer
(regardless of the condition that it is on a
network or not).
A local GPO affects only the computer on
which it is stored.
The local GPO settings can be overridden by
nonlocal GPOs in networked environment
and vice versa.
Default store location:
%Systemroot%\System32\GroupPolicy.
Nonlocal GPOs are created in Active
Directory and must be linked to a site,
domain, or OU in order to be applied to either
users or computers.
By Default two nonlocal GPOs are created:
Default Domain Policy
Default Domain Controllers Policy
Default Domain Policy
This GPO is linked to the domain.
it affects all users and computers in the domain
Default Domain Controllers Policy
This GPO is linked to the Domain Controllers OU.
It generally affects only domain controllers
You use the Group Policy Object Editor to organize
and manage the Group Policy settings in each GPO.
Group Policy settings are contained in a GPO
and determine the user's desktop environment.
You can view the Group Policy settings for a GPO
in the Group Policy Object Editor.
There are two types of Group Policy settings:
Computer Configuration Settings
User Configuration Settings.
They are contained in the Computer
Configuration and the User Configuration nodes
in a GPO.
The Computer Configuration node contains
the settings used to set group policies applied
to computers, regardless of who logs on to
them.
Computer configuration settings are applied
when the operating system initializes.
The User Configuration node contains the
settings used to set group policies applied to
users, regardless of which computer the user
logs on to.
User configuration settings are applied when
users log on to the computer.
Both these nodes include settings for installing
software, settings for installing and accessing
the Windows Server 2003 operating system, and
registry settings.
In both the Computer Configuration and the
User Configuration nodes, the Software
Settings node contains only the Software
Installation extension by default.
The Software Installation extension helps you
specify how applications are installed and
maintained within your organization.
It also provides a place for independent
software vendors to add settings.
In both the Computer Configuration and the
User Configuration nodes, the Windows
Settings node contains the Scripts extension
and the Security Settings node.
The Scripts extension allows you to specify
two types of scripts: startup/shutdown (in the
Computer Configuration node) and
logon/logoff (in the User Configuration node).
In both the Computer Configuration and the
User Configuration nodes, the Administrative
Templates node contains registry-based
Group Policy settings.
There are more than 550 of these settings
available for configuring the user
environment.
As an administrator, you might spend a
significant amount of time manipulating
these settings.
Each of the settings in the Administrative
Templates node can be:
Not Configured: The registry is not modified.
Enabled: The registry reflects that the policy
setting is selected.
Disabled: The registry reflects that the policy
setting is not selected.