GP implementation

A Course on
Planning A Group Policy Management
And Implementation Strategy
1
Prepared for: *Stars*
New Horizons Certified Professional
Course
Company Confidential
1
FILTERING GROUP
POLICY’S SCOPE
• By default, settings flow from site to
domain to OU.
• Three ways to control Group Policy
settings inheritance
– Block Policy Inheritance:
– Security filtering
– WMI filters
2
SECURITY FILTERING
3
WMI FILTERS
• Windows Management Instrumentation
(WMI)
• Used for queries and filters concerning
– Hardware
– Software
– Operating system type
• Can be linked to multiple GPOs
4
WMI FILTER EXAMPLES
Table 10-1 WMI Filter Examples
T a r g et C o m p u t e r
Sample WMI Filter String
All computers that are
Select * from Win32_OperatingSystem
where Ca ption = "Microsoft Windows
running Wi ndows XP
XP Professional"
Professional
All computers that have
Select * from Win32_LogicalDisk
WHERE Name= "C:" AND DriveType = 3
more than 10 MB of
AND FreeSpace > 10485760 AND
available drive space
FileSystem = "NTFS"
on a C: NTFS partition
All computers with a
Select * from Win32_POTSModem
Where Name = " MyModem"
modem i nstalled
5
CREATING WMI FILTERS
6
GROUP POLICY MANAGEMENT
CONSOLE (GPMC)
• Free add-on tool that can be used to manage
Group Policy. Installs on:
– Windows XP with Service Pack 1
– Any edition of Windows Server 2003
• Can be used for:
–
–
–
–
Importing and copying GPO settings
Backing up and restoring of GPOs
Executing the Resultant Set of Policy (RSoP) snap-in
Generating HTML reports
7
INSTALLING GPMC
• GPMC is not on the Windows Server 2003
CD-ROM.
• Can be downloaded for free from the
Microsoft
Web site.
• In this course, gpmc.msi is on your
supplemental CD-ROM.
– Double-click the gpmc.msi file
through the wizard.
– Distribute through Group Policy.
and
run
8
GPMC CHANGES ACTIVE
DIRECTORY USERS AND COMPUTERS
9
CREATING WMI FILTERS IN GPMC
10
LINKING WMI FILTERS
11
NAVIGATING WITH GROUP
POLICY MANAGEMENT
12
INFORMATION DISPLAYED
IN THE GPMC INTERFACE
13
DETERMINING & TROUBLESHOOTING
EFFECTIVE POLICY SETTINGS
•
•
•
•
Resultant Set Of Policy (RSoP) Wizard
Group Policy Results
Group Policy Modeling
Gpresult.exe command line tool
14
RSOP LOGGING MODE
15
RSOP PLANNING MODE
16
GROUP POLICY MODELING
IN GPMC
17
GROUP POLICY RESULTS
18
Gpresult.exe
19
DELEGATING GROUP POLICY
ADMINISTRATIVE CONTROL
•
•
•
•
Creation of GPOs
Permissions on GPOs
Linking of GPOs
Use of Group Policy Modeling and Group
Policy Results
• Creation of WMI filters
• WMI permissions
20
DELEGATING GPO
CREATION
21
DELEGATING PERMISSIONS
TO AN INDIVIDUAL GPO
GPMC Individual GPO Permissions
Allowed Permissions
Category
Underlying Permissions and Effects
Read
Allows Read Access on the GPO.
Edit settings
Includes Read, Write, Create Child Objects, and
Delete Child Objects.
Edit, delete, and
Includes Read, Write, Create Child Objects, Delete
modify security
Child Objects, Delete, Modify Permissions, and Modify
Owner. Implies Full Control without the Apply Group
Policy permission being set.
Read (from
An automatic setting that appears when a user has
Security Filtering) Read and Apply Group Policy permissions to the GPO.
Custom
These permissions include those set individually
using the ACL editor for the GPO. The ACL editor is
invoked by using the Advanced button and shows the
Security tab contents for the GPO.
22
DELEGATING LINKING,
MODELING, AND RESULTS
23
DELEGATING WMI FILTERING
24
PLANNING GROUP POLICY
INTEGRATION
• Create policies at the highest level
possible.
• Limit the number of GPOs created.
• Create specialized GPOs for policies.
• Disable unnecessary portions (user or
computer).
• Only apply GPOs to sites when settings
are required on a site basis.
25
RECOMMENDATIONS ON
GROUP POLICY INHERITANCE
• Limit use of the following:
– No Override
– Block Policy Inheritance
– Security filtering
26
PLANNING ADMINISTRATION
AND IMPLEMENTATION OF
GPOS
• Determine which administrators will have
policy delegation roles
• Test policy settings
• Document the plan
27
RESTORING DEFAULT
SECURITY SETTINGS
28
CHAPTER SUMMARY
• Name two methods you can use to filter
GPOs.
• How many WMI filters can be applied to
each GPO?
• What can you do with GPMC?
• What two modes are available in RSoP?
• List ways in which you can delegate Group
Policy control.
29
30