Microsoft Official Course

Module 4

Implementing a Group Policy

Infrastructure
Module Overview

Introducing Group Policy

Implementing and Administering GPOs
Group Policy Scope and Group Policy Processing
• Troubleshooting the Application of GPOs
Lesson 1: Introducing Group Policy

What Is Configuration Management?

Overview of Group Policies
Benefits of Using Group Policy
Group Policy Objects
GPO Scope
Group Policy Client and Client-Side Extensions
• Demonstration: How to Create a GPO and
Configure GPO Settings
What Is Configuration Management?

• Configuration management is a centralized

approach to applying one or more changes to
one or more users or computers
• The key elements of configuration management
are:
• Setting
• Scope
• Application
Overview of Group Policies

• The most granular component of Group Policy is

known as a policy and defines a specific
configuration change
• A policy setting can have three states:
• Not Configured
• Enabled
• Disabled

• Many policy settings are complex, and the effect

of enabling or disabling them might not be
obvious
Benefits of Using Group Policy

• GPOs are very powerful administrative tools. You

can use them to enforce various types of settings
to a large number of users and computers
• Typically, GPOs are used in the following way:
• Apply security settings
• Manage desktop application settings
• Deploy application software
• Manage folder redirection
• Configure network settings
Group Policy Objects

A GPO is:
• A container for one or more policy settings
• Managed with the GPMC
• Stored in the GPOs container
• Edited with the GPME
• Applied to a specific level in
the AD DS hierarchy
GPO Scope

• The scope of a GPO is the collection of users and

computers that will apply the settings in the GPO.
You can use several methods to scope a GPO:
• Link the GPO to a container, such as an OU
• Filter by using security settings
• Filter by using WMI filters
Group Policy Client and Client-Side Extensions

1. Group Policy client retrieves GPOs

2. Client downloads and caches GPOs
3. CSEs process the settings

• Policy
settings in the Computer Configuration
node are applied at system startup and every 90–
120 minutes thereafter
• User
Configuration policy settings are applied at
logon and every 90–120 minutes thereafter
Demonstration: How to Create a GPO and
Configure GPO Settings
In this demonstration, you will see how to:
• Use the GPMC to create a new GPO
• Configure Group Policy settings
Lesson 2: Implementing and Administering GPOs

Domain-Based GPOs
GPO Storage
Starter GPOs
Common GPO Management Tasks
Delegating Administration of Group Policies
• Managing GPOs with Windows PowerShell
Domain-Based GPOs
GPO Storage

Group Policy Container

GPO

• Stored in AD DS
• Provides version information

Group Policy Template

• Contains Group Policy settings
• Stores content in two locations

• Stored in shared SYSVOL folder

• Provides Group Policy settings
Starter GPOs

A Starter GPO:
• Stores administrative template settings on which the
new GPOs will be based
• Can be exported to .cab files
• Can be imported into other areas of the enterprise

Exported to cab file Imported to GPMC

Load
starterGPO .cab file
cabinet file
 Common GPO Management Tasks

• GPMC provides several options for managing the state of GPOs

Backup GPOs Restore GPOs

Copy GPOs Import GPOs

Delegating Administration of Group Policies

• Delegation of GPO-related tasks allows the

administrative workload to be distributed across
the enterprise
• The following Group Policy tasks can be
independently delegated:
• Creating GPOs
• Editing GPOs
• Managing Group Policy links for a site, domain or OU
• Performing Group Policy Modeling analysis in a
domain or OU
• Reading Group Policy Results data in a domain or OU
• Creating WMI filters on a domain
Managing GPOs with Windows PowerShell

In addition to using GPMC and the GPM Editor,

you can also perform common GPO administrative
tasks by using Windows PowerShell

Examples:
• Create a new GPO called Sales:
New-GPO -Name Sales -comment "This the sales GPO"
• Import the settings from the backed up Sales GPO stored
in the C:\Backups folder into the NewSales GPO:
import-gpo -BackupGpoName Sales -TargetName NewSales
-path c:\backups
Lesson 3: Group Policy Scope and Group Policy
Processing
GPO Links
Demonstration: How to Link GPOs
Group Policy Processing Order
Configuring GPO Inheritance and Precedence
Using Security Filtering to Modify Group Scope
What Are WMI Filters?
Demonstration: How to Filter Policies
Enable and Disable GPOs and GPO Nodes
Loopback Policy Processing
Strategies for Slow Links and Disconnected Systems
Identifying When Settings Become Effective
GPO Links
Demonstration: How to Link GPOs

In this demonstration, you will see how to:

• Create and link GPOs to different locations
• Disable a GPO link
• Delete a GPO link
Group Policy Processing Order
GPO1

Local Policy
GPO2

Site
GPO3

Domain
GPO4

OU
GPO5

OU OU
Configuring GPO Inheritance and Precedence

1. The application of GPOs linked to each container results

in a cumulative effect called inheritance
• Default Precedence: Local  Site  Domain  OU  OU…
(LSDOU)
• Seen on the Group Policy Inheritance tab

2. Link order (attribute of GPO Link)

• Lower number  Higher on list  Precedent

3. Block Inheritance (attribute of OU)

• Blocks the processing of GPOs from above

4. Enforced (attribute of GPO Link)

• Enforced GPOs “blast through” Block Inheritance
• Enforced GPO settings win over conflicting settings in lower GPOs
Using Security Filtering to Modify Group Scope

• Apply Group Policy permission

• GPO has an ACL (Delegation tab  Advanced)
• Default: Authenticated Users have Allow Read and Allow Apply Group
Policy
• Scope only to users in selected global groups
• Remove Authenticated Users
• Add appropriate global groups
• Must be global groups (GPOs do not scope to domain local)
• Scope to users except for those in selected groups
• On the Delegation tab, click Advanced
• Add appropriate global groups
• Deny Apply Group Policy permission
• Does not appear on the Delegation tab or in filtering section
What Are WMI Filters?
Demonstration: How to Filter Policies

In this demonstration, you will see how to:

• Filter group policy application by using security group
filtering
• Filter Group Policy application by using WMI filtering
Enable and Disable GPOs and GPO Nodes
Loopback Policy Processing
Strategies for Slow Links and Disconnected Systems
Identifying When Settings Become Effective

• GPO replication must happen

• Group changes must be replicated
• Group Policy refresh must occur
• User must log off or log on, or the computer
must restart
• Manual refresh
• Most CSEs do not reapply unchanged GPO
settings
Considerations For Managing Group Policy In A
Multi-Domain Environment

• Domain trust required for simplifying multi-

domain management of Group Policy
• Use migration tables to automate the updates to UNC
paths and security principals
• Common GPO management techniques are valid
across domains
• Copy GPOs (Copy-GPO)
• Import GPOs (Import-GPO)
• Backing up and restoring (Backup-GPO, Restore-GPO)

• Multi-domain environment may be made up of

an internal test implementation of AD DS and a
production implementation of AD DS
Lesson 4: Troubleshooting the Application of GPOs

Refreshing GPOs
What is RSoP?
Generate RSoP Reports
Demonstration: How to Perform What-if Analysis
with the Group Policy Modeling Wizard
• Examine Policy Event Logs
Refreshing GPOs

• When you apply GPOs, remember that:

• Computer settings apply at startup
• User settings apply at logon
• Polices refresh at regular, configurable intervals
• Security settings refresh at least every 16 hours
• Policies refresh manually by using:
• The Gpupdate command
• The Windows PowerShell cmdlet Invoke-GPUpdate
• With the new Remote Policy Refresh feature in
Windows Server 2012, you can remotely refresh
policies
What is RSoP?

Windows Server 2012 provides the following tools

for performing RSoP analysis:
GPO1

Local
GPO2

Site
GPO3
• The Group Policy
Results Wizard Domain GPO4
• The Group Policy
Modelling Wizard OU
• GPResult.exe GPO5

OU OU
Generate RSoP Reports
Demonstration: How to Perform What-if Analysis
with the Group Policy Modeling Wizard
In this demonstration, you will see how to:
• Use GPResult.exe and the Group Policy Reporting
Wizard
• Use the Group Policy Modeling Wizard
Examine Policy Event Logs
Lab: Implementing a Group Policy Infrastructure

Exercise 1: Creating and Configuring Group Policy

Objects
Exercise 2: Managing GPO Scope
Exercise 3: Verifying GPO Application
• Exercise 4: Managing GPOs

Logon Information
Virtual machines: 20411C-LON-DC1,
20411C-LON-CL1
User Name: Adatum\Administrator
Password: Pa$$w0rd

Estimated Time: 90 minutes

Lab Scenario

A. Datum is a global engineering and

manufacturing company with its head office in
London, United Kingdom. An IT office and a data
center are located in London to support the London
office and other locations. A. Datum recently has
deployed a Windows Server 2012 server and client
infrastructure.
You have been asked to use Group Policy to
implement standardized security settings to lock
computer screens when users leave computers
unattended for 10 minutes or more. You also have
to configure a policy setting that will prevent access
to certain programs on local workstations.
Lab Scenario

After some time, you have been made aware that a

critical application fails when the screens saver
starts, and an engineer has asked you to prevent
the setting from applying to the team of Research
engineers that uses the application every day. You
have also been asked to configure conference
room computers to use a 45-minute timeout.
After creating the policies, you need to evaluate the
resultant set of policies for users in your
environment to ensure that the Group Policy
infrastructure is optimized and that all policies are
applied as they were intended.
Lab Review

Which policy settings are already being deployed

by using Group Policy in your organization?
Many organizations rely heavily on security group
filtering to scope GPOs, rather than linking GPOs to
specific OUs. In these organizations, GPOs typically
are linked very high in the Active Directory logical
structure—to the domain itself or to a first-level
OU. What advantages do you gain by using security
group filtering rather than GPO links to manage a
GPO’s scope?
• Why might it be useful to create an exemption
group—a group that is denied the Apply Group
Policy permission—for every GPO that you create?
Lab Review

Do you use loopback policy processing in your

organization? In which scenarios and for which
policy settings can loopback policy processing add
value?
In which situations have you used RSoP reports to
troubleshoot Group Policy application in your
organization?
• In which situations have you used, or could you
anticipate using, Group Policy modeling?
Module Review and Takeaways

Review Question(s)
Tools
• Common Issues and Troubleshooting Tips