Microsoft Official Course

Module 11

Implementing Group Policy

Module Overview

• Overview of Group Policy

• Group Policy Processing
• Implementing a Central Store for Administrative
Templates
Lesson 1: Overview of Group Policy

• Components of Group Policy

• What Are Multiple Local GPOs?
• Storage of Domain GPOs
• What Are Group Policies and Preferences?
• What Are Starter GPOs?
• Delegating Management of GPOs
• Demonstration: Creating and Managing GPOs
 Components of Group Policy

A Group Policy Object is a

A Group Policy setting defines a
collection of Group Policy settings
specific configuration change to
that can be applied to a user,
apply to a user or a computer
computer, or both, to enact changes
What Are Multiple Local GPOs?

Multiple Local Group Policies:

• Have a single computer configuration that applies to the
computer for all users who log on
• Have layers of user settings that can apply only to
individual users, not to groups
There are three layers of user configurations:
• Administrator

• Non-Administrator

• User-specific
Storage of Domain GPOs
What Are Group Policies and Preferences?

Group Policy preferences expand the range of

configurable settings within a GPO and:
• Are not enforced

• Enable IT pros to configure, deploy, and manage

operating system and application settings that were
not manageable by using Group Policy

Features of Group Policy Preferences:

• Create: Create a new item on the targeted computer

• Delete: Remove an existing item from the targeted computer

• Replace: Delete and re-create an item on the targeted computer

• Update: Modify an existing item on the targeted computer

What Are Starter GPOs?

A starter GPO:
• Has preconfigured administrative template settings upon which
new GPOs can be based
• Can be exported to .cab files
• Can be imported into other areas of the enterprise

Exported to Imported to
.cab file GPMC

.cab Load
Starter GPO
file .cab file
Delegating Management of GPOs

Delegation of GPO-related tasks allows the administrative

workload to be distributed across the enterprise

The following Group Policy tasks can be independently delegated:

• Creating GPOs
• Editing GPOs

• Managing Group Policy links for a site, domain, or OU

• Performing Group Policy Modeling analysis in a domain or OU

• Reading Group Policy Results data in a domain or OU

• Creating WMI filters on a domain

Demonstration: Creating and Managing GPOs

In this demonstration you will see how to:

• Create a GPO by using the GPMC
• Edit a GPO with the Group Policy Management Editor
• Use Windows PowerShell to create a GPO
Lesson 2: Group Policy Processing

• GPO Links
• Applying GPOs
• Group Policy Processing Order
• What Are the Default GPOs?
• GPO Security Filtering
• Discussion: Identifying Group Policy Application
• Demonstration: Using Group Policy Diagnostic
Tools
GPO Links

• To deliver settings to an object, a GPO must be linked to a

container
• Disabling a link removes the settings from the container
• Deleting a link does not delete the GPO
• GPOs can be linked to:
• Sites
• Domains
• OUs
• GPOs cannot be linked to:
• Users
• Groups
• Computers
• System containers
Applying GPOs

• When you apply GPOs, remember that:

• Computer settings apply at startup
• User settings apply at logon
• Polices refresh at regular, configurable intervals
• Security settings refresh at least every 16 hours
• Policies refresh manually by using:
• The Gpupdate command
• The Windows PowerShell cmdlet Invoke-
Gpupdate
• With the new Remote Policy Refresh feature in
Windows Server 2012, you can remotely refresh
policies
Group Policy Processing Order

GPO1

Group Policy Processing

Local Group Order
GPO2

Site

GPO3

GPO4

Domain

GPO5
OU

OU OU
What Are the Default GPOs?

There are two default GPOs:

• Default Domain Policy
• Used to define the account policies for the
domain:
• Password
• Account lockout
• Kerberos policies
• Default Domain Controllers Policy
• Used to define auditing policies
GPO Security Filtering

Apply Group Policy permissions

• GPO has an ACL (Delegation tab, click Advanced)
• Default: Authenticated Users have Allow Apply Group Policy
Scope only to users in selected global groups
• Remove Authenticated Users
• Add appropriate global groups
• Must be global groups (GPOs do not scope to domain local)
Scope to users except for those in selected groups
• On the Delegation tab, click Advanced
• Add appropriate global groups
• Deny Apply Group Policy permission
 Discussion: Identifying Group Policy Application

GPO4 configures Domain Root GPO 1 GPO1 removes

power options access to registry
for servers tools and
configures power
GPO 4 options

Sales OU GPO 2 GPO2 locks down

Servers OU
desktops, removes
access to Control
Panel, and
Users OU configures
printers

GPO3 configures
power options for
Laptops OU client laptops
Demonstration: Using Group Policy Diagnostic
Tools

• In this demonstration you will see how to:

• Use the Gpupdate command-line tool to refresh Group
Policy
• Use the Gpresult command-line tool and output the
results to an HTML file
• Use the Group Policy Modeling Wizard
Lesson 3: Implementing a Central Store for
Administrative Templates

• What Is the Central Store?

• What Are Administrative Templates?
• How Administrative Templates Work
• Managed and Unmanaged Policy Settings
What Is the Central Store?

• The Central Store:

• Is a central repository for ADMX and ADML files
• Is stored in SYSVOL
• Must be created manually
• Is detected automatically by Windows operating systems and
Windows Server operating systems

ADMX files

Windows workstations Domain controller Domain controller

with SYSVOL with SYSVOL
What Are Administrative Templates?

Administrative Templates determine what settings

appear and how they are grouped in GPO Editor

.admx

.adml Registry
How Administrative Templates Work

• Policy settings in the

Administrative
Templates node make
changes to the
registry
• The setting Prevent
access to registry
editing tools will
change the value of
the HKLM\Software
\Classes\Regedit
Managed and Unmanaged Policy Settings

Administrative Templates
• Managed policy setting
• UI is locked; user cannot make a change to the setting
• Changes are made in one of four reserved registry keys
• Change and UI locks are released when the
user/computer falls out of scope
• Unmanaged policy setting
• UI is not locked
• Changes made are persistent: tattoos the registry
• Only managed settings are shown by default
• Set Filter Options to view unmanaged settings
Preferences
• Effects vary
Lab: Implementing Group Policy

• Exercise 1: Configuring a Central Store

• Exercise 2: Creating GPOs

Logon Information

Virtual Machine 20410A-LON-DC1

20410A-LON-CL1
User Name Adatum\Administrator
Password Pa$$w0rd

Estimated Time:40 minutes

Lab Scenario

• A. Datum Corporation is a global engineering and

manufacturing company with a head office based in
London, England. An IT office and a data center are
located in London to support the London location and
other locations. A. Datum has recently deployed a
Windows Server 2012 infrastructure with Windows 8
clients.
• In your role as a member of the server support team, you
help to deploy and configure new servers and services into
the existing infrastructure based on the instructions given
to you by your IT manager.
• Your manager has asked you to create a central store for
ADMX files to ensure that everyone can edit GPOs that
have been created with customized ADMX files. You also
need to create a starter GPO that includes Internet
Explorer settings, and then configure a GPO that applies
GPO settings for the Marketing department and the IT
department.
Lab Review

• What is the difference between the .admx files and the

.adml files?
• The Sales Managers group should be exempted from
the desktop lockdown policy that is being applied to the
entire Sales OU. All sales user accounts and sales
groups reside in the Sales OU. How would you exempt
the Sales Managers group?
• What command can you use to force the immediate
refresh of all group policies on a client computer?
Module Review and Takeaways

• Review Questions
• Best Practices
• Common Issues and Troubleshooting Tips
• Tools