Introduction to Group Policy

Lesson 7

Skills Matrix
Technology Skill

Objective Domain

Objective #

Using the Group Policy

Management Console

Create and apply Group

Policy Objects (GPOs)

4.3

Configuring Group Policy

Settings

Configure GPO templates 4.4

Group Policy
Group Policy is a method of controlling settings
across your network.
Group Policy consists of user and computer
settings on all versions of Windows since
Windows 2000 that can be implemented during
computer startup and shutdown and user logon
and logoff.
You can configure one or more GPOs within a
domain and then use a process called linking,
which applies these settings to various containers
(domain, sites and OUs) within Active Directory.
You can link multiple GPOs to a single container or
link one GPO to multiple containers throughout
the Active Directory structure.

Group Policy
The following managed settings can be defined
or changed through Group Policies:
Registry-based policies - As the name
implies, these settings modify the Windows
Registry.
Software installation policies can be used to
ensure that users always have the latest
versions of applications.
Folder redirection allows files to be redirected
to a network drive for backup and makes them
accessible from anywhere on the network.
Offline file storage works with folder
redirection to provide the ability to cache files
locally. This allows files to be available even
when the network is inaccessible.

Group Policy
Scripts Including logon, logoff, startup, and
shutdown scripts, these can assist in
configuring the user environment.
Windows Deployment Services (WDS)
Assists in rebuilding or deploying workstations
quickly and efficiently in an enterprise
environment.
Microsoft Internet Explorer settings
Provide quick links and bookmarks for user
accessibility, in addition to browser options
such as proxy use, acceptance of cookies, and
caching options.
Security settings Protect resources on
computers in the enterprise.

Group Policy
Group Policies can be linked to sites,
domains, or OUs (not groups) to apply
those settings to all users and computers
within these Active Directory containers.
You can use security group filtering,
which allows you to apply GPO settings
to only one or more users or groups
within a container by selectively granting
the Apply Group Policy permission to
one or more users or security groups.

Group Policy Objects (GPOs)

Contain all of the Group Policy settings
that you wish to implement to user and
computer objects within a site, domain,
or OU.
Must be associated (linking) with the
container to which it is applied.
There are three types of GPOs:
Local GPOs.
Domain GPOs.
Starter GPOs.

Local GPO
The local GPO settings are stored on the
local computer in the %systemroot
%/System32/GroupPolicy folder.
Local GPOs contain fewer options.
They do not support folder redirection or
Group Policy software installation.
Fewer security settings are available.

When a local and a nonlocal (Active

Directorybased) GPO have conflicting
settings, the local GPO is overwritten by
the nonlocal GPO.

Nonlocal GPOs
Nonlocal GPOs are created in Active Directory.
They are linked to sites, domains, or OUs.
Once linked to a container, the GPO is applied
to all users and computers within that
container by default.

GPOs are stored in two places:

Group Policy container (GPC) An Active
Directory object that stores the properties of
the GPO.
Group Policy template (GPT) Located in
the Policies subfolder of the SYSVOL share, the
GPT is a folder that stores policy settings, such
as security settings and script files.

Starter GPOs
A new feature in Windows Server
2008.
Used as GPO templates within Active
Directory.
Allow you to configure a standard set
of items that will be configured by
default in any GPO that is derived
from a starter GPO.

Default Group Policies

When Active Directory is installed, two
domain GPOs are created by default.
Default Domain Policy It is linked
to the domain, and its settings affect all
users and computers in the domain.
Default Domain Controller Policy
It is linked to the Domain Controllers OU
and its settings affect all domain
controllers in the domain.

Creating and Managing Group Policies

The Group Policy Management Console
(GPMC) is the Microsoft Management
Console (MMC) snap-in that is used to create
and modify Group Policies and their settings.

The GPMC was not pre-installed in Windows

Server 2003; it needed to be downloaded
manually from the Microsoft Web site.
The GPCM is included in Windows Server 2008
by default.

When you configure a GPO, you will use the

Group Policy Management Editor, which
can be accessed through the GPMC or
through Active Directory Users and
Computers.

Group Policy Management Console

(GPMC)

Group Policy Management Console

(GPMC)

Group Policy Management Console

(GPMC)

Group Policy Object Editor

Group Policy Settings

Configuring Group Policy settings
enables you to customize the
configuration of a users desktop,
environment, and security settings.
The actual settings are divided into
two subcategories:
Computer Configuration
User Configuration

Group Policy Settings

The Computer Configuration and the User
Configuration nodes contain three subnodes:
Software Settings
Used to install software.
Windows Settings
Used for define security settings and scripts.
Administrative Templates
Windows Server 2008 includes thousands of
Administrative Template policies, which
contain all registry-based policy settings.
They are used to generate the user interface
for the Group Policy settings.

GPO Inheritance
You link a GPO to a domain, site, or
OU or create and link a GPO to one of
these containers in a single step. The
settings within that GPO apply to all
child objects within the object.

Group Policy Processing (LSDOU)

1.
2.
3.
4.

Local policies.
Site policies.
Domain policies.
OU policies.

Any conflicting GPO settings are

overwritten by the later running GPO.

Understanding Group Policy Processing

When a computer is initialized during
startup, it establishes a secure link
between the computer and a domain
controller.
Then the computer obtains a list of
GPOs to be applied.

Computer configuration settings are

applied synchronously during
computer startup before the Logon
dialog box is presented to the user.

Understanding Group Policy Processing

Any startup scripts set to run during
computer startup are processed.
These scripts also run synchronously
and have a default timeout of 600
seconds (10 minutes) to complete.
When the Computer Configuration
scripts and startup scripts are
complete, the user is prompted to
press Ctrl+Alt+Del to log on.

Understanding Group Policy Processing

Upon successful authentication, the
user profile is loaded based on the
Group Policy settings in effect.
A list of GPOs specific for the user is
obtained from the domain controller.
User Configuration settings also are
processed in the LSDOU sequence.

Understanding Group Policy Processing

After the user policies run, any logon
scripts run. Unlike the startup scripts,
these scripts run asynchronously by
default.
The user's desktop appears after all
policies and scripts have been
processed.

Configuring Exceptions to GPO

Processing

Enforce Configuring this setting on an individual

GPO link forces a particular GPOs settings to flow
down through the Active Directory without being
blocked by any child OUs.
Block Policy Inheritance Configuring this setting
on a container object such as a site, domain, or OU
will block all policies from parent containers from
flowing to this container.
Loopback Processing This is a Group Policy
option that provides an alternative method of
obtaining the ordered list of GPOs to be processed for
the user.
When set to Enabled, this setting has two options:
Merge and Replace.

GPUpdate Command
If you make changes to a group policy,
users may not see changes take effect
until:
They log off or log back in.
They Reboot the computer.
They wait 90 minutes (+/- 30 minutes)
for stand-alone servers/workstations and
2 minutes for domain controllers.

To manually push group policies, you

need to use the gpupdate command:
Gpupdate /force

Summary
Group Policy consists of user and computer
settings that can be implemented during
computer startup and user logon.
These settings can be used to customize the
user environment, to implement security
guidelines, and to assist in simplifying user
and desktop administration.
Group Policies can be beneficial to users
and administrators.
They can be used to increase a company's
return on investment and to decrease the
overall total cost of ownership for the
network.

Summary
In Active Directory, Group Policies
can be assigned to sites, domains,
and OUs.
By default, there is one local policy
per computer. Local policy settings
are overwritten by Active Directory
policy settings.

Summary
Group Policy content is stored in an
Active Directory GPC and in a GPT.
The GPC can be seen using the
Advanced Features view in Active
Directory Users and Computers.
The GPT is a GUID-named folder
located in the
systemroot\sysvol\SYSVOL\domain_na
me\ Policies folder.

Summary
The Default Domain Policy and the
Default Domain Controller Policy are
created by default when Active
Directory is installed.
The Group Policy Management
Console is the tool used to create
and modify Group Policies and their
settings.

Summary
GPO nodes contain three subnodes
including Software Settings, Windows
Settings, and Administrative
Templates. Administrative templates
are XML files with the .admx file
extension.
Over 100 ADMX files are included
with Windows Server 2008.

Summary
The order of Group Policy processing
can be remembered using the acronym
LSDOU:
Local
Site
Domain
OU

This order is an important part of

understanding how to implement Group
Policies for an object.

Summary
Group Policies applied to parent
containers are inherited by all child
containers and objects.
Inheritance can be altered by using
the Enforce, Block Policy Inheritance,
or Loopback settings.