Application Implementation Strategy by adn10359

VIEWS: 9 PAGES: 36

Application Implementation Strategy document sample

More Info
									 Planning a Group Policy
       Management and
Implementation Strategy
                   Lesson 10
Introducing the Group Policy
Management MMC Snap-In
    Import and copy GPO settings to and from the
     file system.
    Backup and restoration of GPOs is available in
     Group Policy Management.
    Resultant Set of Policy (RSoP) functionality
     integration includes Group Policy Modeling and
     Group Policy Results.




Lesson 10
Introducing the Group Policy
Management MMC Snap-In (cont.)
    GPMC is natively installed with Windows Server
     2008.
    Hypertext Markup Language (HTML) reports
     allow read-only views of GPO settings and RSoP
     information.




Lesson 10
Introducing the Group Policy
Management MMC Snap-In (cont.)
    Search for GPOs based on name, permissions,
     WMI filter, GUID, or policy extensions set in the
     GPOs.
    Search for individual settings within a GPO by
     keyword, and search for only those settings that
     have been configured.




Lesson 10
Introducing the Group Policy
Management MMC Snap-In (cont.)




Lesson 10
Configuring a Starter GPO
    Starter Group Policy objects derive from a Group Policy
     object (GPO), and provide the ability to store a collection of
     Administrative Template policy settings in a single object.
    You can import and export Starter GPOs, which makes
     them easy to distribute to other environments.
    When you create a new GPO from a Starter GPO, the new
     GPO has all of the Administrative Template policy settings
     and their values that were defined in the Starter GPO.




Lesson 10
Configuring a Starter GPO
    Open the Group Policy Management MMC
     console.
    Drill down to <forest name>, click <domain
     name>, and then click Starter GPOs.
    If this is the first time you have used Starter
     GPOs, the Contents tab is gray. Click Create
     Starter GPOs Folder.




Lesson 10
Configuring a Starter GPO (cont.)
    Right-click the Starter GPO’s node, and click
     New. The New Starter GPO dialog box is
     displayed.
    Enter a name and description for the Starter
     GPO, and click OK.
    Right-click the Starter GPO that you just
     created, and click Edit. The Group Policy Starter
     GPO Editor will open.




Lesson 10
Configuring a Starter GPO (cont.)
    Make any modifications to this Starter GPO, and
     then close the Group Policy Starter GPO Editor.
    To create a new GPO that is based on this
     Starter GPO, navigate to the Group Policy
     Objects node.




Lesson 10
Configuring a Starter GPO (cont.)
    Right-click Group Policy Objects, and click New.
    Enter a name for the new GPO.
    In the Source Starter GPO drop-down list, select
     the Starter GPO that you want to use as the
     source of the new GPO, and click OK.




Lesson 10
      Filtering the Scope of a Group Policy Object

    Filtering the scope
     ◦ You might need to restrain the scope of a GPO
       by applying permissions to specific users
       and/or computers
     ◦ This is called filtering the GPO scope
     ◦ To filter the scope of a GPO, you use security
       groups




Lesson 10
     Filtering the Scope of a Group Policy Object

    Security groups
     ◦ Used to specify the users subject to the
       policies in a particular GPO
     ◦ Used to define the rights and permissions
       users will have to access resources
     ◦ You set different permissions for different
       security groups on the Security tab in the
       Properties dialog box for a GPO



Lesson 10
     Filtering the Scope of a Group Policy Object
    Setting security groups permissions
     ◦ Read and Apply Group Policy permissions
         Are assigned for a particular GPO
         By default, the Authenticated Users group is granted
          both permissions for all GPOs
     ◦ To block a policy from applying to a specific group, set
       its Apply Group Policy permission to Deny
     ◦ To allow the GPO to apply to a single group of users
        Remove the Apply Group Policy permission from the
         Authenticated Users group
        Allow the Apply Group Policy permission only for that
         group


Lesson 10
     Filtering the Scope of a Group Policy Object

    When you are using filtering, only two
     group policy permissions are applicable
     ◦ Read
     ◦ Apply Group Policy




Lesson 10
    Setting the Apply Group Policy permission for a security group

Lesson 10
       Filtering the Scope of a Group Policy Object
    To add objects to the security filter
     ◦ On the Scope tab, in the Security Filtering
       section, click the Add button to open the Select
       User, Computer, or Group dialog box
     ◦ Click OK to add the object to the security filter
    To apply the GPO only to the group or groups
     that have been added
     ◦ In the Security Filtering section on the Scope
       tab, select Authenticated Users
     ◦ Click the Remove button


Lesson 10
            Security Filtering

Lesson 10
Configuring WMI Filtering
 • Windows Management Instrumentation (WMI) filters
 allow you to dynamically determine the scope of Group
 Policy objects (GPOs) based on attributes of the target
 computer.
 • When a GPO that is linked to a WMI filter is applied on
 the target computer, the filter is evaluated on the target
 computer.
 • If the WMI filter evaluates to false, the GPO is not
 applied If the WMI filter evaluates to true, the GPO is
 applied.


Lesson 10
Configuring WMI Filtering (cont.)
    WMI makes data about a target computer available for
     administrative use. Such data can include hardware
     and software inventory, settings, and configuration
     information.
    A WMI filter consists of one or more queries based on
     this data. If all queries are true, the GPO linked to the
     filter will be applied.
    The queries are written using the WMI Query
     Language (WQL), a SQL-like language.


Lesson 10
Configuring WMI Filtering (cont.)
    The WMI filter is a separate object from the GPO in the
     directory. To apply a WMI filter to a GPO, you link the
     filter to the GPO.
    This is shown in the WMI filtering section on the Scope
     tab of a GPO.
    Each GPO can have only one WMI filter, however the
     same WMI filter can be linked to multiple GPOs Select
     the GPO to be assigned to this WMI filter.




Lesson 10
Configuring WMI Filtering (cont.)
    WMI filters, like GPOs, are stored on a per-domain
     basis.
    A WMI filter and the GPO it is linked to must be in the
     same domain.
    Client support for WMI filters exists only on
     Windows XP, Windows Server 2003, and later
     operating systems. Windows 2000 clients will ignore
     any WMI filter and the GPO is always applied,
     regardless of the WMI filter.


Lesson 10
      Examining the Application of Group Policy
        Using Resultant Set of Policy (RSoP)
    RSoP is a useful new tool that allows you to
     visually examine the application of Group Policy
    To use RSoP
     ◦ Open MMC and create a new console
     ◦ Query Active Directory for the Group Policies applying to
       a specific level of the hierarchy or for a specific object
        RSoP returns a list of all Group Policy settings
        Shows the configuration for that setting
        Identifies Group Policy that configured that particular
         setting


Lesson 10
     Examining the Application of Group Policy
                   Using RSoP
    Using RSoP in troubleshooting Group Policy
     application
     ◦ It allows you to quickly and easily determine the source
       of GPO conflicts on your network
     ◦ RSoP identifies
        The final group of policies that are applied, for which
         GPO set the final value for each policy
        The details for the policies that were not applied,
         including all other GPOs that attempted to set the
         policy and the setting they tried to impose


Lesson 10
     Examining the Application of Group Policy
                   Using RSoP
    In the GPMC, the functionality of RSoP is
     broken down into two distinct capabilities,
     which are controlled by two Wizards
     ◦ Group Policy Results Wizard
     ◦ Group Policy Modeling Wizard




Lesson 10
     Examining the Application of Group Policy
                   Using RSoP
    Group Policy Results Wizard
     ◦ Queries the target computer for the RSoP data that was
       applied to that computer
     ◦ Displays the policies that are applied to that computer
       or to a particular user on that computer
     ◦ The client being queried must be running Windows XP
       Professional or Windows Server 2003 or later
     ◦ In the RSoP snap-in, this functionality is called logging
       mode




Lesson 10
      Examining the Application of Group Policy
                    Using RSoP
    Group Policy Modeling Wizard
     ◦ Provides a simulation tool (What-If)
     ◦ Allows administrators to test to see what would happen
       to policy application for a particular user or computer
       under certain conditions
        The security group memberships are changed
        The location of the object in Active Directory is
         changed
     ◦ In the RSoP snap-in, this functionality is called planning
       mode


Lesson 10
      Examining the Application of Group Policy
                    Using RSoP
    After you have run one of the wizards, the RSoP
     data is generated as an HTML report
    HTML report
     ◦ Displays the policy settings that are applied
     ◦ Identifies the GPO that sets the policy value
     ◦ The report is added to either the Group Policy
       Results or Group Policy Modeling node in the
       GPMC



Lesson 10
            The RSoP console

Lesson 10
            The Summary of Selections screen
            in the Group Policy Results Wizard
Lesson 10
     Examining the Application of Group Policy
                   Using RSoP

    Gpresult.exe command-line tool
     ◦ An additional tool for troubleshooting
       Group Policy application in Windows Server
       2008
     ◦ It is stored in %Systemroot%\System32
     ◦ Performs nearly the same functions as
       RSoP



Lesson 10
Using the Resultant Set of Policy
Wizard
    Click Start, and click Run.
    Key mmc, and press Enter.
    From the File menu, select Add/Remove Snap-in,
     and then click the Add button.
    Select the Resultant Set of Policy snap-in from the
     Add Standalone Snap-in windows.
    Click Add, and then click Close.
    Click OK to finish creating the new console window.



Lesson 10
Creating a Group Policy Modeling Query
    From the Administrative Tools folder on the Start menu,
     open Group Policy Management.
    Browse to the forest or domain in which you want to
     create a Group Policy Modeling query.
    Right-click Group Policy Modeling, and then click Group
     Policy Modeling Wizard.
    On the Welcome to the Group Policy Modeling Wizard
     page, click Next.
    Complete the remaining pages by entering the
     information that will build the appropriate simulation
     criteria.


Lesson 10
Creating a Group Policy Modeling
Query (cont.)




Lesson 10
You Learned
    Application of group policies can be filtered by
     using Block Policy Inheritance, No Override,
     permissions, and WMI filters.
    WMI filters allow administrative control over group
     policy implementation based on criteria defined in
     the filter. After evaluation, all filter criteria must
     return a value of true for the policy to be applied.
     Any criteria that return a value of false after
     evaluation will prevent the policy from being
     applied.


Lesson 10
You Learned (cont.)
    Only one WMI filter can be applied to each GPO.
    GPMC can be used to manage all aspects of
     Group Policy, including the following: creation,
     linking, editing, reporting, modeling, backup,
     restore, copying, importing, and scripting.
    Determining effective group policies can be
     accomplished using RSoP, GPMC, or GPResult.




Lesson 10
You Learned (cont.)
  RSoP is an MMC snap-in that has two modes:
   Planning and Logging. Planning mode allows
   administrators to simulate policy settings prior
   to their deployment. Logging mode reports on
   the results of existing policies.




Lesson 10

								
To top