6. Group Policy and Group Policy Objects
**********************
Group policies are collections of user and computer configuration settings that specify how programs, network resources, and the operating system work for users and computers in an organization.
**********************
Groups Policy Objects (GPOs) are collection of Group Policy settings.
One local GPO is stored on each computer whether or not the computer is part of an Active Directory environment or a networked environment.
Local GPO settings can be overridden by nonlocal GPOs.
You can use the Group Policy Object Editor to organize and manage the Group Policy settings in the local GPO.
By default, two nonlocal GPOs – the Default Domain Policy and the Default Domain Controllers Policy are created when Active Directory directory service is set up.
You can determine which administrative groups can administer GPOs by defining permissions for each GPO in the GPO’s Security tab.
You use the Group Policy Object Editor to organize and manage the Group Policy settings in each nonlocal GPO.
You can view the Group Policy settings for a GPO in the Group Policy Object Editor.
**********************
There are two types of Group Policy Settings: computer configuration settings contained in the Computer Configuration node of the GPO and user configuration settings contained in the User Configuration node of the GPO.
The Computer Configuration node contains the settings used to set group policies applied to computers, regardless of who logs on to them.
The User Configuration node contains the settings used to set group policies applied to users, regardless of which computer the user logs on to.
**********************
You assign an application to a computer when you want computers or users managed by the GPO to have the application.
You publish an application when you want the application to be available to users managed by the GPO, should a user want the application.
**********************
Two types of scripts: startup/shutdown in the Computer Configuration node and logon/logoff in the User Configuration node.
By default, the time-out value for processing scripts is 10 minutes.
**********************
Remote Installation Services (RIS) is used to control the behavior of a remote operating system installation.
**********************
An administrative template is actually a text file used to generate the user interface for the Group Policy settings you can set on the Group Policy Object Editor.
In Windows Server 2003, administrative templates have the .adm file name extension.
There are three types of administrative templates: default, vendor-supplied and custom.
**********************
Group Policy Inheritance
In general, Group Policy is passed down from parent to child containers within a domain. Group Policy is not inherited from parent to child domains.
**********************
Using WMI Queries
Windows Management Instrumentation (WMI) is a management infrastructure that allows administrators to monitor and control managed objects in the network.
WMI queries are written using WMI query language (WQL)
**********************
Delegating Control of GPOs
There are different GPO-related tasks for which you can delegate control: GPO editing, GPO creation, and GPO object linking.
You delegate control of GPO creation by making users members of the Group Policy Creator Owners group and delegating to them control of GPO object linking.
**********************
Planning and Implementing Group Policy
There are over 600 Group Policy settings in Windows Server 2003.
Planning GPOs
Basically, you can build GPOs by using a decentralized or a centralized design.
Planning Administrative Control
The appropriate level of administrative control can be delegated by using a centralized, decentralized, or task-based administrative control design.
In the centralized design, administration of Group Policy is delegated only to top-level OU administrators.
In the decentralized design, administration of Group Policy is delegated to top-level and to second-level OU administrators.
In the task-based design, administration of specific group policies is delegated to administrators that handle the associated specific tasks, such as security or applications.
**********************
Linking Group Policy Objects
The linking of a GPO to a site, domain, or organizational unit causes the Group Policy settings to affect user and computer objects in that site, domain, or organizational unit.
You can create a GPO for domains and organizational units by using Active Directory User and Computers.
You can create a GPO for a site by using Active Directory Sites and Services.
You must be a member of the Enterprise Admins group to create GPOs that are linked to sites.
To link a GPO to a site, domain or organizational unit, you must have Read and Write permissions on the gPlink and gPoptions attributes for that site, domain, or organizational unit.
**********************
Refreshing Group Policy at Established Intervals
By default domain controllers refresh every five minutes.
Resolving Conflicts Between Group Policy Settings
If settings from a parent container GPO conflict with settings from a child container GPO, the settings in the child container are applied last and take effect.
When computer and user settings conflict, in most instances, the computer setting overrides the user settings and applies, even though the user setting was processed last.
**********************
Delegating Control of a GPO
Nonadministrative users or groups can be given the ability to create GPOs by adding the users or groups to the Group Policy Creator Owners security group.
GPO related tasks for which you can delegate control are: GPO editing; GPO creation; and GPO object linking.
**********************
Resultant Set of Policy (RsoP)
RsoP is the sum of the policies applied to a user or computer, including the application of filters, such as through security groups and Windows Management Instrumentation (WMI), and exceptions, such as No Override and Block Policy Inheritance.
In Windows Server 2003, an RsoP query engine is available to poll existing GPOs and report the affects of GPOs on users and computers.
This information is gathered from the Common Information Management Object Model (CIMOM) database.
**********************
Generating RSoP Queries
Windows Server 2003 provides the following three tools for generating RSoP queries: the Resultant Set of Policy Wizard; the Gpresult command-line tool and the Advanced System Information-Policy tool.
The Resultant Set of Policy Wizard uses two modes, Logging mode and Planning mode.
The RSoP query console contains four types of information you can view: individual policy settings; a list of GPOs associated with the query; the scope of management associated with the query and GPO revision information.
The Gpresult command-line tool enables you to create and display an RSoP query on the command line.
The Advanced System Information Policy tool enables you to create an RSoP query and view the results in an HTML report that appears in the Help And Support Center window.
**********************
Delegating Control of RSoP
Permission for generating an RSoP query is set for the domain or OU by selecting one of the Generate Resultant Set of Policy Planning options in the Delegation of Authority Wizard.
**********************
Folder Redirection
You can redirect user’s folders to provide a centralized location for key Windows XP Professional folders on a server or servers, called a sharepoint.
The Folder Redirection node in the Group Policy Object Editor console enables you to redirect certain special folders, such as My documents and My Pictures, to network locations, including file shares in other forests in which two-way forest trusts have been established.
The Folder Redirection node is located under User Configuration\Windows Settings in the Group Policy Object Editor console.
**********************
Setting Up Folder Redirection
There are tow ways to set up folder redirection: you can redirect special folders to one location for everyone in the site, domain or OU; or you can redirect special folders to a location according to security group membership.
**********************
Offline Files
Offline files provides users with access to redirected folders even when they are not connected to the network.
Your permissions on the network files and folders remain the same whether you are connected to the network or working offline.
When you are disconnected from the network, you can print to local printers, but you cannot print to shared printers on the network.
The first step in setting up Offline Files is to configure the sharepoint in the Sharing tag in the Properties dialog box for the shared folder.
**********************
Troubleshooting Group Policy
Group Policy Troubleshooting Tools:
Resultant Set of Policy Wizard
Gpresult command line tool
Gpupdate command line tool
Event Viewer and various log files
**********************
Gpupdate replaces the Secedit /refreshpolicy command in Windows 2000
**********************
You can generate a diagnostic log to record detailed information about Group Policy processing to the Usernv.log log file in the %Systemroot%\Debug\Usermode hidden folder. The generation of this diagnostic log is known as enabling verbose logging.
**********************
No comments:
Post a Comment