8.2 Group Policy Management
Order
1. The local Group Policy on the computer. 2. GPOs associated with a site. 3. GPOs linked to the domain. 4. GPOs linked to the organizational unit (OU). If the OU has nested OUs, the Group Policy is applied from the highest-level OU to the lowest-level OU. In other words, the Group Policy in the parent OU will run before the Group Policy in the child OU.
Scooping methods
Block Inheritance Enforced Security Group Windows Management Interface WMI filtering Loopback Processing
Block Inheritance
Blocking inheritance prevents settings in all GPOs linked to parent objects from being applied to child objects. • You configure inheritance blocking on the domain or an organizational unit (OU). • You cannot block inheritance on a per-GPO basis; blocking inheritance blocks all GPOs linked above the blocking object. • Only Group Policies applied directly to the container take effect. A blue circle with a white exclamation mark in it indicates blocked Group Policy inheritance.
Loopback Processing
By default, Group Policy configuration applies computer settings during startup and user settings during logon. For this reason, user settings take precedence in the event of a conflict. With loopback processing, computer settings are reapplied after user logon. Following are some circumstances when you might use loopback processing: • If you want computer settings to take precedence over user settings. • If you want to prevent user settings from being applied. • If you want to apply specified user settings for the computer, regardless of the location of the user account in Active Directory. Loopback processing runs in Merge or Replace mode. • Merge mode gathers the Computer Configuration GPOs and appends them to the User Configuration GPOs when the user logs on. • Replace mode prevents the User Configuration GPOs from being applied.
Group Policy Inheritance
Settings in a GPO are applied to all objects below the container where the GPO is linked. Inherited GPO settings for any object are the total settings of all GPOs linked to all parent objects.
Group Policy Results
To launch the Group Policy Results Wizard and determine how Group Policies are applied for a specified user and computer combination. The Details tab of the Group Policy Results Wizard identifies settings as well as the Group Policy driving each setting.
Enforced
To prevent inheritance from being blocked for a specific GPO, select the Enforced (no override) option for the GPO link. • You configure the enforced option on a per-GPO basis. • Enforced GPOs are applied last and override other GPO settings. • An enforced policy cannot be blocked or overwritten. • A lock icon indicates an enforced policy.
Security Group filtering
To use Security group filtering: • Create a global group. • Filter in one of the two following ways: • Filter a policy you want to apply to everyone but the global group by setting the following rights for the global group: • Deny - Apply Group Policy • Deny - Read • Filter a policy you want applied only to the global group by modifying the properties of the GPO to allow only the global group to run the Group Policy.
GPO status
Undefined Define
Windows Management Interface WMI filtering
Use Windows Management Interface (WMI) filtering to determine the scope of a GPO dynamically, based on hardware and software characteristics such as CPU, memory, disk space, registry data, drivers, network configuration, or application data. In WMI filtering you create a script containing a test that results in a yes or no response. WMI filtering: • Applies the policy if the response is yes. • Does not apply the policy if the response is no. • Is restricted to only one WMI filter per GPO. • Uses queries written in WMI query language (WQL). • Should be applied for a well-defined purpose and limited amount of time. • Evaluates the target computer every time a Group Policy refresh occurs.
Undefined
meaning that the GPO has no value for that setting and does not change the current setting.
Define
meaning that the GPO identifies a value to enforce.
This section covers the following Windows Server Pro: Install and Configure exam objective:
• 6.0 Group Policy. • Manage Group Policy Objects (GPOs) • Modify GPO Links This section covers the following 70-410 exam objective: 601 Create Group Policy objects (GPOs).
After finishing this section, you should be able to complete the following tasks:
• Centrally manage administrative templates using the central store. • Configure the scope of Group Policy objects.
Options in Group Policy Management to help you to manage the app of the GPO
• On the Details tab, set the GPO Status to reflect how the policy is applied: • Use the Computer configuration settings disabled setting if the Group Policy applies only to users or groups. • Use the User configuration settings disabled if the Group Policy applies only to computers. • On the Settings tab, you can view the settings that have been defined.
To determine how scoping affects the application of the GPO:
• Use Group Policy Modeling to launch the Group Policy Modeling Wizard: You can simulate how the Group Policies will be applied: • Based on a specified user or users in a container. • Based on a specified computer or computers in a container. • Based on a slow network connection. Based on Loopback processing
This objective may include but is not limited to:
Configure a Central Store Configure security filtering
Negatives in policies
If you disable a policy that disables a feature, the feature is enabled.
Note
Individual settings within all GPOs are combined to form the effective Group Policy setting as follows: • If a setting is defined in one GPO and undefined in another, the defined setting will be enforced (regardless of the position of the GPO in the application order). • If a setting is configured in two GPOs, the setting in the last applied GPO will be used. The Local Group Policy is applied only when there are no GPOs linked to a domain or the OU. GPOs linked to an OU override GPOs linked to a domain when both are applied.
Group Policy object GPO
Is a collection of settings that can be applied to a group of users or computers. A number of factors determine the effective Group Policy settings for an object.
Scooping
Is the process of targeting a GPO to specific users and/or computers.
