8.1 Group Policy Foundation
Local policies / user rights examples
Access this compute from the network ( the ability to access resources on the computer through a network connection) Load and unload device drivers Back up files and directories (does not include restoring files and directories) Shut down the system Remove a computer from a docking station
Local Policies / Security Options
Allows you to apply or disable rights for all users to whom the group policy applies
Administrative Template
Are registry-based settings that can be configured within a GPO to control the computer and the overall user experience
Collections of policy settings
Are stored in a Group Policy object (GPO). The GPO includes registry settings, scripts, templates, and software-specific configuration values.
.admx files
Are the Administrative Template files and require Windows Vista or later to edit.
GPO categories
Computer Configuration User Configuration
Computer Configuration
Computer policies (also called machine policies) are enforced for the entire computer and are applied when the computer boots. Computer policies are in effect regardless of the user logging into the computer.
Local Policies / user rights assignment
Computer policies include a special category of policies called user rights.
When do computer policies run?
Computer policies run before the user policies run.
Local policies / Security Options
Computer shut down when security event log reaches capacity Unsigned driver installation Ctl+Alt+Del required for log on
GPOs
Contain hundreds of configuration settings.
Assigning GPO permissions
Control the operations that users can perform on the GPO as well as the application of the GPO to the user.
Tasks for managing GPOs
Creating local GPOs Assigning GPO permissions Linking GPOs Using Administrative Templates Using a central store
Linking GPOs
GPOs can be linked to Active Directory sites, domains, and organizational units (OUs). Use the Group Policy Management console to link Group Policy.
Policy
Is a set of configuration settings applied to objects such as users or computers. Group policies allow the administrator to apply multiple settings to multiple objects within the Active Directory domain at one time.
Notes
Keep in mind the following about GPOs: • If possible, combine multiple settings into one Group Policy. Reducing the number of Group Policies that require processing reduces boot and logon time. • The Default Domain policy contains the only password policy that is going to take effect, unless you create a password settings object (PSO). • GPOs do not exist at the forest level. To enforce a GPO in multiple domains, create the GPO in one domain, and export it and then import it into other domains. Each GPO has a common structure, with hundreds of configuration settings that can be enabled and configured.
Delete group policy
Must be deleted from the group policy objects container
Starter Group Policy Objects
Starter Group Policy Objects, referred to as Starter GPOs, allow you to store a collection of Administrative Template policy settings in a single object.
Software Restriction Policies
To define the software permitted to run on any computer in the domain. These policies can be applied to specific users or all users.
File System
Use File System policies to configure file and folder permissions that apply to multiple computers. For example, you can limit access to specific files that appear on all client computers.
Local Policies / Audit Policy
Use audit policy settings to configure auditing for events, such as log on, account management, or privilege use.
Account Policies
User Account policies to control the following settings: Password Account Kerberos Account policies are in effect only when configured in a GPO linked to a domain.
User configuration
User policies are enforced for specific users
Local Policies / user rights
User rights identify system maintenance tasks and the users or groups who can perform these actions.
Using a central store
When you use Administrative Templates, the policy is stored locally and the settings are saved to Group Policy on the domain controller. The central store allows Administrative Templates to be available to be edited by other domain
Multiple local group policies
Windows server 2008 R2 and windows 7. A local compute can have multiple local group policies
Registry
You can use registry policies to: • Configure specific registry keys and values. • Specify if a user can view and/or change a registry value, view sub-keys, or modify key permissions.
.adm files
are the pre-XML format used for Administrative Templates. This older format is still usable in Windows Server 2012.
.adml files
files contain the language-specific Administrative Template files.
Group Policies stored
in SYSVOL, a share that is created when you install Active Directory. All domain controllers in the domain have a replicated copy of SYSVOL.
Creating local GPOs
is stored on a local machine. Computers that are not part of a domain use the Local Security Policy settings to control security settings and other restrictions on the computer. To edit the local Group Policy, enter gpedit at the command line
Group policy inheritance
lists the order in which Group Policies will be applied. The policies are listed in reverse order of precedence, meaning that the last policy on the list--the one with the highest precedence number--will be applied first.
Linked group policy objects
tab you can change the link order of Group Policies.
Using administrative templates
to create Group Policies to manage Microsoft Office or in-house applications. File types for Administrative Templates use an XML-based file format that allows multi-language support and version control: .admx .adml .adm
dcgpofix command
to restore the original settings of the Default Domain Controllers Group Policy.
This section covers the following Windows Server Pro: Install and Configure exam objective:
• 6.0 Group Policy. • Manage Group Policy Objects (GPOs) • Create and Link a GPO • Create a Starter GPO • Modify GPO Links
Group Policy Management Console to link GPOs
• A GPO applied to an OU affects the objects in the OU and sub-OUs. • A GPO applied to a domain affects all objects in all OUs in the domain. Built-in containers (such as the Computers container) and folders cannot have GPOs linked to them.
Central store Creation
• Create a folder named PolicyDefinitions in file:\\FQDN\SYSVOL\FQDN\. For example: \\Northsim.com\SYSVOL\Northsim.com\PolicyDefinitions • Copy the contents of the local PolicyDefinitions folder to the PolicyDefinitions folder on SYSVOL. The path of the local PolicyDefinitions folder is typically: C:/Windows/PolicyDefinitions
Microsoft Management Console mmc
• Enter mmc at the command line to launch the Microsoft Management Console. • Add the Group Policy Object Editor snap-in from the File menu. By default it will add the Local Computer Group Policy. Select Users to edit Local Group Policy for specific users on the computer. You can save the Group Policy Object Editor console to allow for easy access in the future.
Software Restriction Policies Examples
• Identify allowed or blocked software. • Allow users to run only specified files on multi-user computers. • Determine who can add trusted publishers. • Apply restrictions to specific users or all users.
This section covers the following 70-410 exam objective:
• Manage starter GPOs • Configure GPO links • Configure multiple local group policies
Multiple local group policies examples
• One Group Policy that affects the computer • One or more Group Policies that affect users To create or edit multiple local Group Policies, you use the Microsoft Management Console (mmc): • Enter mmc at the command line to launch the Microsoft Management Console. • Add the Group Policy Object Editor snap-in from the File menu. By default it will add the Local Computer Group Policy. Select Users to edit Local Group Policy for specific users on the computer. You can save the Group Policy Object Editor console to allow for easy access in the future.
User Policy settings
• Software that should be installed for a specific user. • Scripts that should run at logon or logoff. • Internet Explorer user settings (such as favorites and security settings). • Registry settings that apply to the current user (the HKEY_CURRENT_USER subtree). User policies are initially applied as the user logs on. They often customize Windows based on user preferences.
Computer policies
• Software that should be installed on a specific computer. • Scripts that should run at startup or shutdown. • Password restrictions that must be met for all user accounts. • Network communication security settings. • Registry settings that apply to the computer (the HKEY_LOCAL_MACHINE subtree). Computer policies are initially applied as the computer boots, and are enforced before any user logs on.
Linking group policies
• The Default Domain Controllers Policy is linked to the domain controllers OU by default. • This policy increases security of the domain controllers.
Assigning GPO permissions process
• To apply settings to a user, the user must have the Allow Read and Apply Group Policy permissions. • By default, each GPO grants the Authenticated Users group (basically all network users) the Allow Read and Apply Group Policy permissions. This means that, by default, GPO settings apply to all users. Permissions also control who can edit Group Policy settings and manage the GPO.
Administrative Template Examples
• Use of Windows features such as BitLocker, Offline files, and Parental Controls • Customize the Start menu, taskbar, or desktop environment • Control notifications • Restrict access to Control Panel features • Configure Internet Explorer features and options
Starter Group Policy Objects Examples
• When you create a new GPO from a Starter GPO, the new GPO has all of the Administrative Template policy settings and values that were defined in the Starter GPO. You can easily distribute Starter GPOs by exporting and then importing them to another environment.