Learning Center
Plans & pricing Sign in
Sign Out

Slide 1 -


									Introduction to Group Policy
Group Policy
• Group Policy is a method of controlling settings
  across your network.
   – Group Policy consists of user and computer settings
     on all versions of Windows since Windows 2000
     that can be implemented during computer startup
     and shutdown and user logon and logoff.
Group Policy
• Group Policy is a method of controlling settings
  across your network.
   – You can configure one or more GPOs within a
     domain and then use a process called linking, which
     applies these settings to various containers
     (domain, sites and OUs) within Active Directory.
Group Policy
• Group Policy is a method of controlling settings
  across your network.
   – You can link multiple GPOs to a single container or
     link one GPO to multiple containers throughout the
     Active Directory structure.
Group Policy
• The following managed settings can be defined or
  changed through Group Policies:
  – Registry-based policies - As the name implies, these
    settings modify the Windows Registry.
  – Software installation policies can be used to ensure
    that users always have the latest versions of
  – Folder redirection allows files to be redirected to a
    network drive for backup and makes them
    accessible from anywhere on the network.
Group Policy
  – Scripts – Including logon, logoff, startup, and
    shutdown scripts, these can assist in configuring the
    user environment.
  – Microsoft Internet Explorer settings – Provide quick
    links and bookmarks for user accessibility, in
    addition to browser options such as proxy use,
    acceptance of cookies, and caching options.
  – Security settings – Protect resources on computers
    in the enterprise.
Group Policy
• Group Policies can be linked to sites,
  domains, or OUs (not groups) to apply those
  settings to all users and computers within
  these Active Directory containers.
Group Policy Objects (GPOs)
• Contain all of the Group Policy settings that
  you wish to implement to user and computer
  objects within a site, domain, or OU.
• Must be associated (linking) with the
  container to which it is applied.
• There are three types of GPOs:
  – Local GPOs.
  – Domain GPOs.
  – Starter GPOs.
Default Group Policies
• When Active Directory is installed, two
  domain GPOs are created by default.
   – Default Domain Policy — It is linked to the
    domain, and its settings affect all users and
    computers in the domain.
  – Default Domain Controller Policy — It is
    linked to the Domain Controllers OU and its
    settings affect all domain controllers in the
Creating and Managing Group Policies
• The Group Policy Management Console (GPMC) is
  the Microsoft Management Console (MMC) snap-in
  that is used to create and modify Group Policies
  and their settings.
  – The GPMC was not pre-installed in Windows Server
  – The GPCM is included in Windows Server 2008 by
• When you configure a GPO, you will use the Group
  Policy Management Editor, which can be accessed
  through the GPMC or through Active Directory
  Users and Computers.
Group Policy Management Console (GPMC)
Group Policy Management Console (GPMC)
Group Policy Management Console (GPMC)
Group Policy Object Editor
Group Policy Settings
• Configuring Group Policy settings enables
  you to customize the configuration of a
  user’s desktop, environment, and security
• The actual settings are divided into two
  – Computer Configuration
  – User Configuration
Group Policy Settings
• The Computer Configuration and the User
  Configuration nodes contain three subnodes:
  – Software Settings
     •Used to install software.
  – Windows Settings
     •Used for define security settings and scripts.
  – Administrative Templates
     •Windows Server 2008 includes thousands of
      Administrative Template policies, which contain
      all registry-based policy settings.
     •They are used to generate the user interface for
      the Group Policy settings.
GPO Inheritance
• You link a GPO to a domain, site, or OU or
  create and link a GPO to one of these
  containers in a single step. The settings
  within that GPO apply to all child objects
  within the object.
Group Policy Processing (LSDOU)
1.   Local policies.
2.   Site policies.
3.   Domain policies.
4.   OU policies.
Any conflicting GPO settings are overwritten by the
later running GPO.
                                   Good To
Understanding Group Policy Processing
• When a computer is initialized during
  startup, it establishes a secure link between
  the computer and a domain controller.
  – Then the computer obtains a list of GPOs to
    be applied.
• Computer configuration settings are applied
  synchronously during computer startup
  before the Logon dialog box is presented to
  the user.
Understanding Group Policy Processing
• Any startup scripts set to run during
  computer startup are processed. These
  scripts also run synchronously and have a
  default timeout of 600 seconds (10
  minutes) to complete.
• When the Computer Configuration scripts
  and startup scripts are complete, the user is
  prompted to press Ctrl+Alt+Del to log on.
Understanding Group Policy Processing
• Upon successful authentication, the user
  profile is loaded based on the Group Policy
  settings in effect.
• A list of GPOs specific for the user is
  obtained from the domain controller.
  – User Configuration settings also are
    processed in the LSDOU sequence.
Understanding Group Policy Processing
• After the user policies run, any logon scripts

• The user's desktop appears after all policies
  and scripts have been processed.
Configuring Exceptions to GPO Processing
• Enforce — Configuring this setting on an individual GPO link
  forces a particular GPO’s settings to flow down through the
  Active Directory without being blocked by any child OUs.

• Block Policy Inheritance — Configuring this setting on a
  container object such as a site, domain, or OU will block all
  policies from parent containers from flowing to this
GPUpdate Command
• If you make changes to a group policy, users
  may not see changes take effect until:
  – They log off or log back in.
  – They Reboot the computer.
  – They wait 90 minutes (+/- 30 minutes) for
    stand-alone servers/workstations and 2
    minutes for domain controllers.
• To manually push group policies, you need to
  use the gpupdate command:
  Gpupdate /force
• Group Policy consists of user and computer
  settings that can be implemented during computer
  startup and user logon.
• In Active Directory, Group Policies can be
  assigned to sites, domains, and OUs.
• By default, there is one local policy per
  computer. Local policy settings are
  overwritten by Active Directory policy
• The Default Domain Policy and the Default
  Domain Controller Policy are created by
  default when Active Directory is installed.
• The Group Policy Management Console is
  the tool used to create and modify Group
  Policies and their settings.
• The order of Group Policy processing can be
  remembered using the acronym LSDOU:
  – Local
  – Site
  – Domain
  – OU
• This order is an important part of
  understanding how to implement Group
  Policies for an object.
• Group Policies applied to parent containers
  are inherited by all child containers and
  – Inheritance can be altered by using the
    Enforce, Block Policy Inheritance, or
    Loopback settings.

To top