2 Using Group Policy Management Tools

Published on February 2017 | Categories: Documents | Downloads: 20 | Comments: 0 | Views: 177
of 32
Download PDF   Embed   Report

Comments

Content

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

2 Using Group Policy Management Tools

Section Topics • Loc Local al vs. Doma Domaiin Poli Polici cies es • Edi Editi ting ng Loc Local al Pol Poliici cies es • Ma Manag nagiing Dom Domai ain n Pol P oliici cies es • Und Unders erstan tandi ding ng Gr Group oup Poli Policy Refre Refresh sh

 Section Objectives

After completing this section, you will be able to:

• Use Gro Group up Poli Policy Mana Manag geme ement nt tool toolss • Descri Describe be the advantages of using using domain domain polici policies es instead of local local poli polici cies es • Li List st the capabil capabiliti ties es of the Group Policy Policy Management Management Console Console • Descri Describe be the requirements requirements for instal installling the Group Policy Policy Management Management Console Console • Ex Expl plai ain n how to use the different different GPMC features to create and manage manage poli polici cies es • Des Descri cribe be the el eleme ements nts of the gpupdate command

Section Overview This section describes the differences between local and domain policies and the Group Policy anagement tools you can use to manage these policies. One of these tools is the Group https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize= 3&FontSize=… …

1/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

olicy Management Console. This section also describes the Group Policy refresh process and how to manually force a efresh ahead of the default interval.

Local vs. Domain Policies P olicies

igure 20: Local vs. Domain Policies olicy management encompasses tools both at the local and domain level. You can manage olicies independently on each individual computer where appropriate. However, the power of  Group Policy is exposed in the domain environment where you can apply policies on a broad asis to large numbers of computers and users. This provides a central management capability hat is not available when you configure policies locally. In addition, policies that are configured through the domain cannot be overridden by local policy settings, so they are more secure.

Group policies exist on every local computer and are applied at computer startup. This appens regardless of whether the computer is part of a domain or in a stand-alone workgroup ode.

Sometimes it is useful to configure local policies on a computer for a variety of reasons as listed in Figure 20.

eginning with Windows Vista, it is now possible to create multiple policies on the local computer and apply them to different users or groups. This will most often be helpful in a orkgroup scenario when you cannot use domain-based policies. https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize= 3&FontSize=… …

2/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

The following section explains how to edit local policies.

Editing Local Policies

igure 21: Editing Local Policies You can edit local policies by either running the gpedit.msc directly on the local computer, or  y running the mmc.exe and adding the GPOE (Group Policy Object Editor) snap-in. Figure 21 lists these tools and their features.

The following topics explain how to use these tools.

Using Gpedit.msc 

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize= 3&FontSize=… …

3/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

igure 22: Using Gpedit.msc Gpedit.msc is a simple tool that you can use to run and edit the policies on a local computer.

epending on the Windows operating system that is running on the computer, it can be executed as follows:

• On Windows Windows Vi Vista or later later computer computers, s, cli click Start and type gpedit.msc in the Search box or on the Start screen with Windows 8 Client. • On Wi Windo ndows ws XP comput computers ers,, cli click Start and type gpedit.msc in the Run box.

The advantage of this tool is that it is simple to run. However, when you launch gpedit.msc anually, you can only edit policies on the local computer and you cannot change its focus.

Using MMC.exe MMC.exe with the Group Group Policy Object Ob ject Editor Snap-  in

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize= 3&FontSize=… …

4/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

igure 23: Using MMC.exe with the Group Policy Object Editor Snap-in Another way to edit policies is to use the MMC (Microsoft Management Console). After the MC starts, you can add the GPOE snap-in to the console. When you add the snap-in, you ill be prompted to edit the policies for either the local computer, or another system on the etwork.

The advantages of using the MMC with the Group Policy Object Editor snap-in are:

• You can edi edit poli polici cies es on remot remotee computers computers.. • On Windows Windows Vi Vista and later computers, you can edi editt multipl multiplee local pol poliici cies es via the MMC with the Group Policy Object Editor snap-in. • You can save the MMC to an *.msc file file to convenientl conveniently y edit edit local local or remote computer   poliici  pol cies. es.

Managing Domain Policies

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize= 3&FontSize=… …

5/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

igure 24: Managing Domain Policies The management of Group Policies involves using the right tools to create and edit a policy and knowing where to create the policy and what values to set the items to. This topic describes the process of managing Group Policies.

Using the GPMC 

igure 25: Using the GPMC The GPMC (Group Policy Management Console), or gpmc.msc, is the primary tool for  iewing and managing all the policies that exist in a given Active Directory forest. You can iew all the sites, domains, and OUs from one console interface. The tool also displays a listing of all GPOs that have been defined in each domain, even if they are not currently applied to anything.

n addition to displaying the structure of the group policies, the GPMC tool allows the administrator to quickly see which policy settings are being applied at each level of the OU structure without opening each policy in the Group Policy Management Editor.

uilt in to the GPMC are tools for viewing Group Policy modeling and Group Policy results.

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize= 3&FontSize=… …

6/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

These tools are very helpful in testing and troubleshooting the policies that are applied to computers or users.

This section describes the Group Policy Management Console.

nderstanding the Group Policy Management Console

igure 26: Understanding the Group Policy Management Console The GPMC is a centralized policy management tool. Using the GPMC, you can perform most of the common Group Policy operations without having to switch between separate windows in separate Active Directory utilities. The GPMC also offers several capabilities, as shown in igure 26, that you cannot find anywhere else.

n Windows 2000, Windows XP, and Windows Server 2003, the GPMC is an optional piece of software that is a free download from Microsoft. It is now the primary tool for Group olicy management in Windows Server 2008 and later versions.

efore the GPMC 

Think about the various actions that you occasionally need to perform with Group Policy.

igure 27 lists these actions and the tools that you needed to carry them out prior to the arrival of the GPMC.

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize= 3&FontSize=… …

7/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

Actio n

To o l

Create or modify s ite-bas ed polic y

Ac tive Direc tory Sites and Servic es

Create or modify domain-bas ed polic y

Ac tive Direc tory Us ers and Computers

Create or modify OU-bas ed polic y

Ac tive Direc tory Us ers and Computers

Create or modify loc al polic y

Loc al Group Polic y

Predic t polic y effec ts

Res ultant Set of Polic y

Report polic y effec ts

Res ultant Set of Polic y

Print GPO s ettings

Res ultant Set of Polic y

Perform s ec urity group filtering

DACL editor for the s pec ific GPO

Delegate Group Polic y links

Delegation of Control w izard

igure 27: Actions Performed with Group Policy and Tools Used to Carry Them Out

f you think about the number of menus, submenus, property sheets, and dialog boxes in any of the tools, you realize that working with these fragmented tools in Group Policy can be an overwhelming task.

The GPMC Solution

The GPMC, released in April 2003 as a separate download (not part of the Windows 2003 Server distribution), lets you perform all the activities, which are listed in Figure 27, from a single console, gpmc.msc. (Although the GPMC does not actually have GPO editing capability, you can start the Group Policy console from its user interface.)

Additionally, the Group Policy Management Console provides the ability to:

• Bac Back k up and res restor toree pol policy obje objects cts • Import setting settingss from one pol poliicy object as the basis basis for creating creating a new object • View all all the li links for a specifi specificc poli policy object

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize= 3&FontSize=… …

8/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

The GPMC allows you to perform these functions as well.

What the GPMC Is Not 

The GPMC does not replace the Group Policy console (called Group Policy Object Editor in indows 2003 Server and Group Policy Management Editor in Windows Vista, Windows Server 2008 and later operating systems). In fact, when you are working in the GPMC and ou select a setting to change, GPMC invokes the Group Policy Management Editor console or that purpose.

You would choose a GPO from the Group Policy Objects node, right-click, and select Edit.

ote also that the GPMC is not a replacement for the Active Directory Users and Computers MC snap-in. You still need Active Directory Users and Computers for tasks such as creating, editing, and deleting users, groups, and computers. One of the few, yet important, objects that you can create in the GPMC is an OU. Because most policies are built on the OU structure, it is convenient to create the OUs directly in the GPMC.

nstalling the GPMC

igure 28: Installing the GPMC f you want to install the GPMC on Windows XP or Windows Server 2003, you can download it (free) from Microsoft. Windows Vista and later operating systems require the SAT to be installed, followed by enabling the GPMC. Windows Server 2008 and later  already include the GPMC, but you must enable it. https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize= 3&FontSize=… …

9/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

To install the GPMC on Windows Vista SP1, follow these steps:

1.

Dow ownl nloa oad d and and In Inst stal alll th thee RSA RSAT. T.

2.

Open Op en the the Con Contr trol ol Pane Panell, the Prog Progra rams ms and and Fea Featu ture ress int inter erfa face ce..

3.

Cliick th Cl thee Turn Turn Wi Wind ndow owss Fea Featu ture ress On On or or Off Off link nk..

.

Select Sel ect the the Remote Remote Server Admi dmini nistrati stration on Tools, Tools, Feature Feature Admi Admini nistrat stratiion Tools, Tools, Group Group Policy Management Tools option.

5.

Click OK.

To enable the GPMC on Windows Server 2008 or later, follow these steps:

1.

Open Se Server Ma Manager.

2.

Usee the Add Us Add Rol Roles and Feat Feature uress option option to add add the Group Group Poli Policy Manag Manageme ement nt featu feature. re.

nstallation Requirements

The GPMC requires Windows XP or later to run. The GPMC does not run on:

• A Wi Windows 2000 2000 Profess P rofessiional or Windows Windows 2000 2000 Server computer computer of any kind, kind, even though the GPMC can administer a Windows 2000 network. • A 64-bi 64-bitt version version of Windows Windows XP or Window Windowss Server 2003. 2003.

The GPMC is included in:

• The RSAT RSAT pack for for Windows Windows Vista and and later. later. • Wi Windo ndows ws Ser Server ver 200 2008 8 and and late later. r. Other installation requirements for the GPMC include: https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

10/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

• Domain member: The computer on which you run GPMC must be a member of either a domain in the forest that you wish to administer, or a domain that has a trust with that forest. That is, you cannot run GPMC on a computer that belongs to a workgroup. • Domain controllers: In order to support the signed-and-encrypted LDAP communications that GPMC uses, GPMC requires that any Windows 2000 Server domain controllers must run SP2 or higher, and the Windows 2000 Server domain controllers in a separate forest to which you connect must run SP3 or higher. • For Windows XP: If you want to run the console on Windows XP, you need to fulfill these additional requirements: ▪ Up Upg gra rade de Wi Wind ndow owss XP XP to SP1. SP1. ▪ Yo You u must must have have the Mi Micro crosof softt .NET Framew Framework ork.. ▪ GPMC requires requires hotfix hotfix Q326469 (whi (which ch updates Gpedi Gpedit.dll t.dll to version version 5.1.2600.1186). The GPMC installer offers to install this for you if you do not already have it. • For Windows Vista and later: If you want to run the console on Windows Vista or later  operating systems to take advantage of all the new Group Policy features, you need to: ▪ Downl Download oad and instal installl the RSAT RSAT P ack for your version version of Windows Windows Cli Client. ▪ Use Control Control Panel Panel,, Prog P rograms rams and and Features, Features, Turn Window Windowss Features Features On or Off Off to enabl enablee the RSAT features that you need, including the GPMC.

Opening the GPMC

igure 29: Opening the GPMC After installation, you can use any of the following methods to run the console:

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

11/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

Manager er on Windows Windows Server 2012 and Wi Windows 8 Cl Client, click click Tools, • In the Server Manag Group Policy Management.

• Click Start and type gpmc.msc. necessary y), Administrative Tools, and Gr Group oup Policy • Click Start (All Programs, if necessar Management. Group oup Policy • Run mmc.exe and create your own custom console, adding the Gr Management snap-in.

• In Windows Windows XP and Window Windowss Server 2003, 2003, in Acti Active ve Director Directory y Users and Computer Computerss or  Active Directory Sites and Services, go to the Group Policy tab and click Open.

 Note

hen the GPMC is installed on Windows XP or Windows Server 2003, the Group Policy tab of Active Directory Users and Computers (and, for site policies, Active Directory Sites and Services) is disabled. Instead, you get a dialog box on a Windows XP or Windows Server  2003

computer directing you to the GPMC. In Windows Vista and later there is no Group Policy ab available in the ADUC tool.

sing the GPMC from the Server Manager 

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

12/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

igure 30: Using the GPMC from the Server Manager  The new Server Manager tool in Windows Server 2012 and Windows 8 Client has a Tools enu that replaces the Start, All Programs, Administrative Tools functionality from previous ersions of Windows.

Configuring the GPMC

igure 31: Configuring the Console The first time that you open the GPMC after installing it, you will see a top-level node https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

13/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

corresponding to the forest that your computer account resides in. The following subnodes will appear under the forest node:

• Domains • Sites

• Gr Grou oup p Poli Policy Mod Model eliing • Gr Grou oup p Pol Poliicy Re Resu sullts

ight-click the Domains node, select Show Domains, and then select the domain or domains hat you wish to view by checking the appropriate boxes. You can show multiple domains in he console pane at the same time, although their DNS structure will not affect their placement in the console.

You can connect to a different forest, if desired, by right-clicking the top node (Group Policy anagement) and choosing Add Forest. However, the forest you add must be trusted by the orest you are already in.

As usual with MMCs, the Action menu mirrors the context menu for each node. The contents of the details pane change depending on what you select in the console pane. In addition, you can expand nodes by clicking the plus ( +) sign next to them.

Searching and Filtering

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

14/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

igure 32: Searching and Filtering n a very large GPO deployment, there may be hundreds of GPOs with thousands of policy settings configured in them. Finding what you are looking for among all of those configured items can be a major challenge. or this reason, it is important to take advantage of two GPMC features:

• GPO Search • Admi dmini nistrati strative ve Templates Templates Fil Filteri tering ng

earching for GPOs

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

15/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

igure 33: Searching for GPOs n a large Active Directory environment, it might be convenient to search for GPOs by several different criteria. The GPMC has a fairly advanced search facility to satisfy this need. You can activate the search feature on a per-domain or per-forest basis, as follows:

• Ri Rig ght-cl ht-cliick a specifi specificc domain domain and choose choose Search. • Ri Rig ght-cl ht-cliick a speci specifi ficc forest forest and choose choose Search. You can search for GPOs using many different categories and conditions. This allows you to find a specific GPO without having to examine the settings inside every GPO. In Figure 33, the GPO search option is being used to simply look for text inside the GPO name.

hen you create search criteria, specify a search item, a condition, and a value.

• Search Item: This criterion specifies what kind of item you are looking for; for example, a GPO name, a user configuration setting, or a GPO GUID. • Condition: This criterion is really more correctly referred to as an operator and relates the search item to the value. Example conditions are Contains, Exist in, Has This Explicit Permission, Is, Is Not, and so on. The available conditions depend on what you choose for your search item. https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

16/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

• Value: This criterion is the syntactical object of the operator, specifying the precise details of what you want your search to find. It might be a specific domain or OU name, a  particul  parti cular ar kind of policy policy setting, setting, or a certai certain n security permissi permission. on.

The list of choices you can select from the Search Item drop-down menu are:

• GPO Name: Enables you to specify the exact name, or a substring. • GPO Link : Enables you to specify links that exist, or do not exist, in specific domains or  sites. This setting is useful for finding GPOs with cross-domain links, as well as GPOs with no links at all. • Security Group: Enables you to specify a search for GPOs where security groups have or  do not have apply, edit, and read permissions, either explicitly or effectively. • Linked WMI Filter: Enables you to specify the name of the filter. • User Configuration: Enables you to specify a search for GPOs where the User  Configuration half of the policy object contains, or does not contain, Folder Redirection, IE Branding, Registry, Scripts, or Software Installation settings.

• Computer Configuration: Enables you to specify a search for GPOs where the Computer  Configuration half of the policy object contains, or does not contain, EFS Recovery, IP Security, Disk Quota, QoS Packet Scheduler, Registry, Scripts, Security, Software Installation , or Wir ireless eless Group Po Policy licy settings.

• GPO GUID: Enables you to specify the globally unique identifier for the GPO.

 Caution

The search function has a known bug: it can return false positives when settings in the ollowing categories are made, then later removed: • EFS https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

17/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

Follde derr Re Redi dire rect ctiion • Fo • IE Mai aint nten enan ance ce • Se Secu curi rity ty Sett Settiing ngss • So Soft ftwa ware re Inst Instal alllat atiion

Therefore, do not regard the search results as an authoritative list of GPOs.

iltering in the GPO Editor 

igure 34: Filtering in the GPO Editor  The Filter option in the GPO Editor allows you to limit the number of Administrative Templates that are displayed. Thousands of items exist by default and you can add more by incorporating additional additional ADMX templates. t emplates.

You can limit the display in a number of ways:

• Mana nag ged ite tems ms • Co Conf nfiigur ured ed ite items ms

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

18/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

omme ment nted ed ite tem ms • Com • Ke Keyw ywor ord d fi fillte teri ring ng • Req Requi uirem rement entss fi fillter teriing

Other Group Policy Tools

igure 35: Other Group Policy Tools Several tools, some graphical and some command-line based, are used in managing and roubleshooting the Group Policy process.

The following topics describe these tools.

Group Policy Management Editor 

The Group Policy Management Editor, or gpedit.msc, is a tool that allows you to view and odify all of the policy settings within a GPO. Many settings within the editor are simply on, off, or not configured. Other settings require selections from drop-down lists, or they require ext entry.

You can start the Group Policy Management Editor from within the GPMC, or as a standalone tool. When launched by itself, it displays the local policies of a computer.

Gpupdate.exe and Invoke-GPUpdate

The Group Policy Update tool, or gpupdate.exe, is a command-line tool that you can use to  pdate GPOs GP Os before their scheduled scheduled update interval nterval.. When you troubleshoot poli polici cies, es, you https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

19/32

https://skill pipe.courseware marketplace.com/reade marketplace.com/reader/en r/en GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1 c1 149e 4f52 83bd 6350 6350c91333 c9133320?Chap 20?ChapterN terNumb umber er 3&FontSize…

19/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

ay sometimes need to apply policies ahead of the normal refresh interval of 90 to 120 inutes.

nvoke-GPUpdate is a PowerShell version of this tool that provides additional options.

Gpresult.exe

The Group Policy Results tool, or gpresult.exe, is a command-line tool that can display all the olicy settings that are active for a computer or user. You can redirect output from the tool to a file for later viewing.

Get-GPResultantSetOfPolicy is a PowerShell form of RSOP that can provide results as either  TML or XML output.

Creating Policies

igure 36: Creating Policies olicies can be created within the Group Policy Objects container and later linked to a Site, omain or OU. Policy links can be deleted and will still be available for use within the Group olicy Objects container.

Once a policy is linked, it will then affect the users or computers from that level and below.

https://skill pipe.courseware marketplace.com/reade marketplace.com/reader/en r/en GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1 c1 149e 4f52 83bd 6350 6350c91333 c9133320?Chap 20?ChapterN terNumb umber er 3&FontSize…

20/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

Editing Policies

igure 37: Editing Policies ost organizations implement at least a few of the Group Policy desktop features and estrictions.

Some of these restrictions affect the computer as a whole, while others affect the individual ser.

This topic describes some of these features and restrictions.

Computer and User Configuration Items A GPO is a collection of settings that configure the user or computer environment. Each GPO is broken down into two primary sections:

• Computer Configuration: Any policy settings that occur within the Computer  Configuration section apply only to the computer objects that are within the scope of the  poliicy.  pol • User Configuration: Any settings that occur within the User Configuration section apply only to the user objects that are within the scope of the policy.

https://skill pipe.courseware marketplace.com/reade marketplace.com/reader/en r/en GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1 c1 149e 4f52 83bd 6350 6350c91333 c9133320?Chap 20?ChapterN terNumb umber er 3&FontSize…

21/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

olicies

n the Group Policy Management Editor, most of the settings and restrictions that affect computers and users fall under the Policies section. Within the Policies section are three subsections:

• Software Settings: Allows for the deployment of MSI based software packages via Group Policy. • Windows Settings: Contains settings that relate to security, folder redirection, logon scripts and more.

Admini dministrative strative T emplates

The Administrative Templates section contains the most widely used settings within Group olicy.

These settings affect everything from the desktop and start menu, to individual applications.

Administrative Templates settings are often associate with locking down the desktop environment, but can be used for much more. Settings in the Computer Configuration section affect the machine as a whole no matter who logs on. The settings in the User Configuration section affect the user wherever they log on.

references

Group Policy Preferences go beyond the typical capabilities of the settings found under  olicies.

These settings are more granular, and can apply to systems in a more flexible manner. references are broken down into two sub-sections: Windows Settings and Control Panel Settings.

references do not lock down the setting, allowing a user to change the value at a later time.

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

22/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

owever, Preferences can be set to reapply upon Group Policy refresh.

Configuring Values

igure 38: Configuring Values ost policies have three available states:

• Not Con onfi fig gur ured ed • Enabled • Disabled

Some policies will have additional values available if they are enabled. These values could be checkboxes, radio buttons, text values, or drop-down lists of options.

Once you click OK to accept the change to the value, that setting is immediately available to he level at which the GPO is linked.

Understanding Group Policy Refresh

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

23/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

igure 39: Understanding Group Policy Refresh ser and computer policy settings will automatically update on a 90-minute interval, plus a andom value of 0 to 30 minutes. This provides a variable window of 90 to 120 minutes for  Group Policy refresh so that not every computer on the network is updating at the same time. ost policy changes will be incorporated automatically on this automatic refresh.

Occasionally, it may be necessary to update policies earlier than the scheduled interval, such as when testing or troubleshooting.

nvoke-GPUpdate

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…  

16/11/2014

2 Using Gr oup Policy M anag ement Tools

igure 40: Invoke-GPUpdate nvoke-GPUpdate is a new PowerShell cmdlet that can perform more powerful GPUpdate operations. It can be used to update the local or a remote machine or user's settings. It can also be used to schedule a GPUpdate in the future, up to 31 days later. The refresh is automatically offset by a random delay.

GPUpdate.exe

igure 41: GPUpdate.exe The Group Policy Update tool is a command-line tool that is used to update GPOs. When

24/32

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

25/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

roubleshooting policies, it may sometimes be necessary to apply policies ahead of the normal efresh interval of 90 to 120 minutes.

emote GPUpdate in the GPMC

igure 42: Remote GPUpdate in the GPMC The Group Policy Management Console now supports a Remote GPUpdate mechanism that can update policies for all computers in a specific OU. This is useful when a policy change has een made and it is important for that change to take effect as quickly as possible. The update is scheduled with a random delay and is not instantaneous so as not to affect the network with a surge of update requests all at once.

To perform a Remote GPUpdate:

1.

Open Op en th thee Gr Grou oup p Pol Poliicy Ma Mana nag gem emen entt co cons nsol ole. e.

2.

Rig Ri ghtht-cl cliick an OU OU that that has machi machines nes that that need need to be upda updated ted,, then sel select the the Group Group Policy Update option.

3.

Click Yes to perform the update.

cronyms

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

26/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

The following acronyms are used in this section:

ADM DMX X Admi dmini nistr strati ative ve Templ Template atess ACL

disc di scre reti tion onar ary y acces accesss cont contro roll lilist

 NS

Domain Domai n Name System

FS

Encrypting File System

GPMC Grou Group p Poli Policy Man Manag agem emen entt Cons Consol olee GPO Group Po Pollicy object GPOE GPO E

Grou Gr oup p Pol Poliicy Ob Obje ject ct Ed Ediito tor  r 

GUID GU ID

glob obal allly un uniiqu quee ide dent ntiifi fier  er 

E

Windows Internet Explorer  

P

Internet P rotocol

DAP DA P MC

Lig Li ght htwe weiight Dire Direct ctor ory y Acc Acces esss Protoco Protocoll Micr cros osof oftt Man Manag agem emen entt Cons Consol olee

OU

organizational unit

QoS

Quality of Service

SAT SA T

Remo Re mote te Se Serv rver er Adm dmiini nist stra rati tion on Tool Toolss

SoP

Resultant Set of Po Pollicy

SP 1

Service P ack 1

SP 2

Service P ack 2

SP 3

Service P ack 3

MI

Windows Management Instrumentation

 Section Review

Summary

• T he advantages advantages of using domai domain n polici policies es instead instead of local pol poliici cies es are: ▪ You can apply apply poli polici cies es on a broad basis basis to larg largee number of computers and users. This provides a central management capability that is not available when you configure

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

27/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

 poliici cies es locall locally.  pol ▪ Poli Polici cies es that are config configured through through the domain domain cannot be overridden overridden by local local pol poliicy settings, so they are more secure. • Usi Using ng the the GPMC, you can perform most of the common common Group Poli Policy operations operations without without having to switch between separate windows in separate Active Directory utilities. The GPMC also offers the following capabilities: ▪ OU hi hier erar arch chy y vi view ▪ Pol Poliicy ed ediiti ting ng ▪ RSoP ▪ Ba Backu ckup p and and resto restore re of of pol polici cies es ▪ Back up poli policy objects objects (and (and restore restore them them if if necessary) necessary) ▪ Import setting settingss from one pol poliicy object as the basis basis for creating creating a new object ▪ View all all the li links for a specifi specificc poli policy object • T he GPMC is incl included uded in the RSAT RSAT pack for Windows Windows Vi Vista and later. It is is also incl included uded in Windows Server 2008 and later, but you must enable it. The GPMC requires Windows XP or later to run. It also requires the following: ▪ The computer on on which which you run run GPMC must be a member member of ei either a domai domain n in in the forest that you wish to administer, or a domain that has a trust with that forest. ▪ Wi Windows ndows 2000 2000 Server Server domain domain controll controllers must run run SP2 or higher. higher. ▪ Wi Windows ndows 2000 Server domain domain controll controllers in in a separate forest to whi which ch you connect must run SP3 or higher. ▪ For Windows Windows XP, GPMC also also requires requires the fol folllowi owing ng:: o Up Upg gra rade de Wi Wind ndow owss XP to SP1 o Mi Micr cros osof oft.N t.NET ET Fr Fram amew ewor ork  k  o Hot Hotfi fix x Q32 Q32646 6469 9 (updat (updates es gpedit.dll to version 5.1.2600.1186)

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

28/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

▪ For Windows Windows Vi Vista, GPMC GP MC also also requires requires the foll followi owing ng:: o Upg Upgrade rade Wi Windows ndows Vista to SP1 o Downl Download oad and instal installl the RSAT RSAT P ack for Windows Windows Vi Vista • Four su subnodes (Domains, Sites, Gr Group oup Policy Modelin Mo deling g, and Group Policy Results) appear under the forest node. You can use the GPMC to: ▪ Show multi multipl plee domains domains in in the console console pane at the same time time (rig (right-cl ht-cliick Domains subnode) ▪ Conn Connect ect to a differen differentt forest forest (rig (right-cl ht-cliick the top top node [Group Policy Management] and select Add Forest) ▪ Sho Show w the the conte contex xt menu menu for for each each nod nodee (Actions menu) • GPMC has two two features features for searchi searching ng and fil filteri tering ng:: ▪ Search: Allows you to search on a per-domain or per-forest basis; specify a condition to search by or create a list of conditions ▪ Filter: Allows you to limit the number of Administrative Templates that are displayed; limit the display by managed items, configured items, commented items, keyword filtering fil tering,, and requirements fil filtering tering • T he Group Policy Policy Update tool is a command-li command-line tool that is is used to remotely remotely update GPOs. The elements of the gpupdate command are: ▪ /Target: {Computer | User}: Used to specify that only the user or computer policy settings that are updated will use this switch ▪ /Force: Reapplies the policy settings ▪ /Wait:value: Specifies how long the system should wait (in seconds) for the policy  processing  processi ng to complete complete ▪ /Logoff: Indicates that the user is logged off after the policy settings have been applied ▪ /Boot: Causes the system to reboot after the policy settings are applied

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

29/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

nowledge Check 

1.

What are are the advantag advantages es of using using domai domain n poli polici cies es instea instead d of local local pol poliici cies? es? (Choose (Choose all all that apply.) a.

Theey are more secure. Th

 b.

T hey provide a central management management capabili capability.

c.

They af affe fect ct a lar larg ge num numbe berr of of com compu pute ters rs an and d use users rs..

d.

They are hel helpful in a workg workgroup roup scenar scenariio when when you cannot use local local-base -based d poli polici cies. es.

2.

List Li st th thee cap capab abiiliti ties es of th thee GPMC GPMC..

3.

How is the the GPM GPMC C ins insta tallled on Wi Wind ndow owss 8? 8?

.

Briiefl Br efly y desc descri ribe be the fol folllowi owing ng el eleme ements nts of the gpupdate command: /force: /logoff :

5.

In wh whiich wa ways ys ca can n you you limi mitt the the di disp spllay of Administrative Templates? (Choose all that apply.)

6.

a.

Managed items

 b.

Deleted Del eted items

c.

Commented items

d.

Keyword fi filtering

Descri Desc ribe be each each tool tool, feature, feature, or poli policy used used to manag managee group group pol poliici cies es in in the space  provided.  provi ded. Group Policy Management Editor: Gpupdate.exe: Folder redirection: User Configuration and Computer Configuration sections of Group Policy:

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

30/32

 

16/11/2014

2 Using Gr oup Policy M anag ement Tools

Know ledge Check An Answe swerr Key Kn owledge The correct answers to the Knowledge Check questions are bolded.

1.

What are are the advantag advantages es of using using domai domain n poli polici cies es instea instead d of local local pol poliici cies? es? (Choose (Choose all all that apply.)

2.

a.

They are mor oree secure.

b.

The hey y pr provid ovidee a ce cent ntrral ma mana nage geme ment nt ca capa pabi bili lity ty..

c.

The hey y aff affec ectt a la larrge nu numb mber er of comput computer erss and and us user ers. s.

d.

They are hel helpful in a workg workgroup roup scenar scenariio when when you cannot use local local-base -based d poli polici cies. es.

List Li st th thee cap capab abiiliti ties es of th thee GPMC GPMC.. • Provides a view of the OU hierarchy • Contains built-in policy editing • Contains inherent RSoP views • Provides backup and restore of policies

3.

How is the the GPM GPMC C ins insta tallled on Wi Wind ndow owss 8? 8? It is installed as part of the RSAT package that must be downloaded from Microsoft.

.

Briiefl Br efly y desc descri ribe be the fol folllowi owing ng el eleme ements nts of the gpupdate command: /force: This switch reapplies the policy settings. By default, only the policy settings that have changed are applied. /logoff: This switch indicates that the user is logged off after the policy settings have been applied.

https://skill pipe.courseware-marketplace.com/reade pipe.courseware-marketplace.com/reader/enr/en-GB/Book GB/Book/Book /BookPri Pri ntView/b6 ntView/b6175a 175ac1-149e-4f52-83bd-6350 c1-149e-4f52-83bd-6350c91333 c9133320?Chap 20?ChapterN terNumb umber= er=3&FontSize… 3&FontSize…

31/32

 

16/11/2014

5.

2 Using Gr oup Policy M anag ement Tools

In wh whiich wa ways ys ca can n you you limi mitt the the di disp spllay of Administrative Templates? (Choose all that apply.)

6.

a.

Managed items

 b.

Deleted Del eted items

c.

Co mm mmented items

d.

Keywor ord d fi filtering

Descri Desc ribe be each each tool tool, feature, feature, or poli policy used used to manag managee group group pol poliici cies es in in the space  provided.  provi ded. • Group Pol P oliicy Management Management Editor: Editor: Is used to view view and modify modify all all of the poli policy setting settingss within a GPO. • Gpu Gpupda pdate.e te.ex xe: Is used used to remotel remotely y update update GPOs. • Fol Folder der redirecti redirection: on: A process that stores the user’s personal My Documents fi files on a server instead of locally. • User Config Configurati uration on and Computer Computer Config Configurati uration on sections sections of Group Group Policy: Policy: ▪ User config configurati uration on setting settingss apply apply only only to the computer objects objects that are withi within n the scope of the policy. ▪ Computer config configurati uration on setting settingss apply apply only only to the user objects objects that are withi within n the scope of the policy.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close