Professional Documents
Culture Documents
Configuring Group Policies
Configuring Group Policies
Configuring Group Policies
1
PRINT MANAGEMENT
Objectives 2
Configuration Node
Three folders under the Policies folder contain the
following information:
Software Settings - enables Administrators to install
and manage applications remotely
Windows Settings - contains Name Resolution Policy
node, Scripts extension, Security Settings node, and
the Policy-based QoS node
Administrative Templates - contains the Control
Panel, Network, Printers, System, and Windows
Components folders.
Node
Policies folder contains the same three folders
as in the Computer Configuration node, but
policies defined here affect domain users
within the GPO’s scope:
Software Settings - can assign or publish
application packages
Windows Settings – Contains four items:
Scripts extension
Security Settings node
Folder Redirection node
Policy based QoS node
Administrative templates - contains settings
that enable administrators to control users’
computer and network environments
Applied
GPO’s can be applied in four places:
Local Computer
Site
Domain
Organizational Unit
Policies are applied in the above order
Policies that are not defined or configured are not
applied at all
Last policy to be defined takes precedence
GPOs
Primary tools for managing, creating, and editing GPOs are
Group Policy Management Console (GPMC) and Group
Policy Management Editor (GPME)
If editing a GPO that is already linked to a container,
changes in policy settings take effect as soon as clients
download them
There’s no Save option in the GPME; changes are saved
immediately
Before introducing multiple policy changes at once, test
them individually
GPOs
GPOs linked to a site object affect all users and
computers physically located at the site
Can be used to set up different policies for mobile
users
In a singular site and domain environment, it is
better to use domain GPOs
Site GPOs can be confusing for users if policy
changes are drastic enough between sites
Linked GPO
GPOs at the domain level should contain settings
that apply to all objects in the domain
Account policies can be defined only at the
domain level
Active Directory folders, such as Computers and
Users, are not OUs and can’t have a GPO linked
to them
Best practices suggest setting account policies
and a few critical security policies at the domain
level
GPOs
Fine-tuning of group policies should be done at
the OU level
OU-linked policies are applied last
They take precedence over site and domain
policies
Users and computers with similar policy
requirements should be located in the same OU
Since OUs can be nested, so can GPOs
GPOs applied to nested OUs should be used for
exceptions to policies set at a higher level
Inheritance Behavior
GPO inheritance is enabled by default
To see where policies are inherited from, select a
container in the left pane of GPMC and click the
group policy inheritance tab in the right pane
There are several ways to affect GPO inheritance:
Blocking inheritance
Enforcing inheritance
GPO filtering
Inheritance
Forcing GPO Inheritance overrides any conflicting
configurations at a deeper level
A GPO that’s enforced has the strongest
precedence of all GPOs in its scope
If multiple GPOs are enforced, the GPO at the
highest level is enforced in a conflict
Example: If a GPO linked to an OU and a GPO
linked to a domain are both set to be enforced,
the GPO linked to the domain has stronger
precedence
Figure 8-11 The Active Directory Structure for GPO inheritance examples
Configuration Node
The Computer Configuration node applies
policies to computers regardless of who logs on to
the computer
Contains most of the security related settings in
the Account Policies, User Rights Assignment,
Audit Policy, and Security Options nodes
Computer configuration policies are uploaded to
a computer when the OS starts and are updated
every 90 minutes thereafter
Some policy changes may require a restart
Software Settings
Contains the Software Installation extension,
which can be configured to install software
packages remotely
Applications are deployed with the Windows
Installer service, which uses MSI files
An MSI file is a collection of files packaged into a
single file with an .msi extension
Contains the instructions Windows Installer needs to
install the application correctly
Windows Settings
The Windows Settings folder contains four
subnodes:
Name Resolution Policy - used to deploy DNS
security (DNSSEC) policies to clients
Scripts (Startup/Shutdown) - allows the creation of
scripts to be run during startup or shutdown
Security Settings - contains subnodes for setting
security policies
Policy-based QoS - enables administrators to
manage the use of network bandwidth and
prioritize network packets based on type of data in
the packet
Auditing
Windows Server 2012/R2 logs successful logon
events and certain other events by default
You must use the auditpol.exe command-line tool
to have more control over the types of events
that are audited
To clear all audit policy subcategories so that
auditing is controlled only by Group Policy, type:
auditpol /clear
Assignment
User rights define the actions users can take on a
computer
More than 40 user rights polices can be assigned
The Default Domain Controllers Policy specifies
User Rights Assignment policies that define actions
users can take on domain controllers
Options
This subnode includes almost 100 settings
One category of security policies to configure
right away is User Account Control
Determine what happens on a computer when a
user attempts to perform an action that requires
elevation
Elevation - a process that occurs when a user
attempts to perform an action requiring
administrative rights and is prompted to enter
credentials
Options
Additional settings that are commonly configured:
Accounts: Administrator account status
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console
logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Microsoft network server: Disconnect clients when logon hours
expire
Administrative Templates
Administrative Templates folder has the following
subnodes:
Control Panel
Network
Printers
Server
Start Menu and Taskbar
System
Windows Components
Configuration Node
Policies set under the User Configuration node
follow a user wherever he or she logs on
User Configuration node lacks most of the security
settings and account policies than Computer
Configuration node
Policies under User Configuration node are more
focused on the user’s environment, such as
Windows features that can and can’t be
accessed
Software Settings
Performs the same function as in Computer
Configuration
Because it’s defined in the User Configuration
node of a GPO, it affects users in the scope of the
GPO no matter where they log on
Windows Settings
Windows Settings contains four subnodes:
Scripts (Logon/Logoff) - identical to Scripts policy,
except scripts specified here are run only by users in
the GPO’s scope
Security Settings - contains two folders: Public Key
Policies and Software Restriction Policies
Folder Redirection - controls which folders in a user’s
profile are redirected to a location outside the
user’s profile folder
Policy-based QoS - the same function as in the
Computer Configuration node but applied to users
Administrative Templates
Affects the HKEY_CURRENT_USER section of the
computer’s Registry
Very similar to the Administrative Templates in the
Computer Configuration node
Contain the Control Panel, Network, Start Menu
and Taskbar, System, and Windows Components
subnodes as well as the following subnodes:
Desktop
Shared Folders