Chap 7 continued

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

to use Starter GPO to create new GPO

-select one in Source Starter GPO list box in Wizard -OR right-click a Starter GPO in Starter folder & click New GPO -after creating new, can edit like any GPO BUT starters don't contain all nodes of regular GPO -only Administrative Templates folder in both Computer Configuration & User Configuration is included

Primary tools for managing, creating, & editing

1) Group Policy Management Console (GPMC, also called the Group Policy Management MMC) 2) Group Policy Management Editor (GPME) (Chap 3)

When changing several policies at once or unsure of effect, test before enabling

1. Set up at least one test computer per OS used in the organization. 2. Join test computers to the domain and place their accounts in a test OU. 3. Create one or more test user accounts in the test OU. 4. Create the new GPO in the Group Policy Objects folder and set the policies you want. 5. Link the GPO to the test OU. 6. Restart and log on to the test computers with the test user accounts to observe the policy effects. 7. Make changes to the GPO, if necessary, and repeat Step 6 until the policy has the desired effect. 8. Unlink the policy from the test OU, and link it to the target Active Directory container

steps for making policy changes that affect the whole domain are as follows, assuming you already have the test computers, users, and OU set up as described earlier:

1.Create the new GPO in the Group Policy Objects folder and set the policies you want. 2.Link the GPO to the test OU, making sure to unlink any GPOs that are linked there from previous tests. 3.Test your policies by following Steps 6 to 8 in the previous list. 4.Make changes to the GPO, if necessary, and repeat testing until the policy has the effect you want. 5.Unlink the policy from the test OU, and link it to the domain.

Distributed File System Replication (DFSR)

DFSR is used when all DCs are running Windows Server 2008.

File Replication Service (FRS)

FRS is used when you have a mix of Windows Server2008, Windows Server 2003, and Windows 2000 domain controllers.

Starter GPO

GPO template but NOT GPT -used as baseline for new GPOs

GPTs located in Sysvol share

replicated by either of 2 methods: File Replication Service (FRS) or Distributed File System Replication (DSFR)

GPCs (Active Directory objects)

replicated during normal Active Directory replication

GPCs & GPTs stored in different places on domain controller

therefore different methods required to replicate GPOs on all domain controllers

To edit existing GPO

- right-click it in the GPMC and click Edit, which opens the GPO in the GPME. -In the GPMC, all GPOs are stored in the GroupPolicy Objects folder, and you can also find GPOs linked to an Active Directory container displayed as shortcut objects in the container to which they're linked. Checking whether and where a GPO is linked is a good idea before editing. -To do this, select the GPO in the left pane of the GPMC and view the Scope tab in the right pane (see Figure 7-7). -All Active Directory objects the GPO is linked to are listed for the selected location. -In this figure, the domain is selected as the location, and you can also select Entire forest or All sites in the Display links in this location list box.

Several ways to to do task

-Edit an existing GPO that's linked to an Active Directory container. -Link an existing GPO to an Active Directory container. -Create a new GPO for an Active Directory container. -Create a new GPO in the Group Policy Objects folder, which isn't linked to an ActiveDirectory object. -Create a new GPO by using a Starter GPO

2 ways to create new GPO w/GPMC

-You can right-click the container you're linking the GPO to and select "Create a GPO in this domain, and Link it here, "or you can right-click the Group Policy Objects folder and click New. -The latter method is preferable for the reasons stated earlier. -After creating a GPO, you can edit it and link it to an Active Directory container, if necessary. -Because several GPOs can bel inked to the same container, the best practice is to create GPOs that set policies narrowly focused on a category of settings, and then name the GPO accordingly. -For example,if you need to configure policy settings related to the Network node, create a GPO named CompNetwork. -If this policy will apply only to a certain container, you could include the container name in the GPO name—for example, TestOU-CompNetwork. -Creating and naming GPOs in this manner makes it easier to identify the GPO that sets a particular policy and to trouble shoot GPO processing problems.

when new GPO created

-a number of files & subfolders created under root folder -# of files & subfolders depends on which policies configured BUT at least 3 each: 1)GPT.ins 2)Machine 3)User

not advisable to edit 2 default GPOs

-can't test adequately since already linked -might want to revert to default settings & have difficulty remembering what was changed

Purpose of using these tools

-carry out changes to security&/or working environment for users or computers

Recommended method for making changes to multiple GPOs

-create new GPO & link to domain -can have multiple GPOs linked to same container

creating & linking GPOs

-if changes are necessary for domain policies or domain controller policies, creating new GPOs and linking them to containers is recommended instead of editing the default GPOs

New GPO Wizard

-includes option to use Starter GPO -stored in Starter GPOs folder in GPMC -can be used to specify baseline of settings then modified

every GPO has GPT associated w/it

-local path to GPT folders on a domain controller is %systemroot%\SYSVOL\sysvol\ domain\Policies;%systemroot% represents the drive letter and folder name where the Windows OS is stored, usually C:\Windows, and domain is the domain name. -each GPT actually a series of folders and files, but root folder has name of GPO's GUID

Starter GPOs useful

-making sure policies consistent throughout domain by defining baseline settings for group policy setting categories -can change baseline settings as needed BUT after new GPO created from Starter, any changes NOT propagated to new GPO. -can be shared w/other administrators by placing in cabinet files (CAB files). -use Save as Cabinet and Load Cabinet buttons to save Starter GPO as CAB file & load Starter GPO from CAB file

DSFR

-more efficient due to algorithm called remote differential compression (RDC) which only datablocks that have changed are compressed and transferred across the network. -more reliable because of improvements in handling unexpected service shutdown that could corrupt data & because it uses a multimaster replication scheme.

Group Policy Templates

-not stored in Active Directory -stored in folder in Sysvol share on domain controller -contains all policy settings + related files such as scripts

GPC & GPT can become out of sync from seconds to minutes to hours

-problems can be diagnosed w/ Gpotool.exe -part of Windows Resource Kit which can be downloaded from Microsoft Download Center

Remember-changes in policy take effect when clients download or restart-no Save option in GPME

Therefore, the best practice is usually creating GPOs in the Group Policy Objects folder, and then linking them to the target Active Directory container after all changes have been made.

GPT.ins

This file contains the version number used to determine when a GPO has been modified. Every time a GPO changes, the version number is updated. When GPO replication occurs, DCs use this version number to determine whether the local copy of the GPO is up to date.

User

This folder contains subfolders that store policy settings related to the User Configuration node.

Machine

This folder contains subfolders that store policy settings related to theComputer Configuration node.


Ensembles d'études connexes

DM Ign ch67, Chapter 58 Care of the Patient with Liver Problems final

View Set

NU372 EAQ Evolve Elsevier: HESI Prep Cardiovascular, Hematologic, Lymphatic

View Set