430 likes | 898 Views
Planning a Group Policy Management and Implementation Strategy. Lesson 10. Skills Matrix. Introducing the Group Policy Management MMC Snap-In. Import and copy GPO settings to and from the file system. Backup and restoration of GPOs is available in Group Policy Management.
E N D
Planning a Group Policy Management and Implementation Strategy Lesson 10
Introducing the Group Policy Management MMC Snap-In • Import and copy GPO settings to and from the file system. • Backup and restoration of GPOs is available in Group Policy Management. • Resultant Set of Policy (RSoP) functionality integration includes Group Policy Modeling and Group Policy Results. Lesson 10
Introducing the Group Policy Management MMC Snap-In (cont.) • GPMC is natively installed with Windows Server 2008. • Hypertext Markup Language (HTML) reports allow read-only views of GPO settings and RSoP information. Lesson 10
Introducing the Group Policy Management MMC Snap-In (cont.) • Search for GPOs based on name, permissions, WMI filter, GUID, or policy extensions set in the GPOs. • Search for individual settings within a GPO by keyword, and search for only those settings that have been configured. Lesson 10
Introducing the Group Policy Management MMC Snap-In (cont.) Lesson 10
Managing an Individual GPO • Scope • Details • Settings • Delegation Lesson 10
Configuring a Starter GPO • Open the Group Policy Management MMC console. • Drill down to <forest name>, click <domainname>, and then click Starter GPOs. • If this is the first time you have used Starter GPOs, the Contents tab is gray. Click Create Starter GPOs Folder. Lesson 10
Configuring a Starter GPO (cont.) • Right-click the Starter GPO’s node, and click New. The New Starter GPO dialog box is displayed. • Enter a name and description for the Starter GPO, and click OK. • Right-click the Starter GPO that you just created, and click Edit. The Group Policy Starter GPO Editor will open. Lesson 10
Configuring a Starter GPO (cont.) • Make any modifications to this Starter GPO, and then close the Group Policy Starter GPO Editor. • To create a new GPO that is based on this Starter GPO, navigate to the Group Policy Objects node. Lesson 10
Configuring a Starter GPO (cont.) • Right-click Group Policy Objects, and click New. The window shown in Figure 10-7 is displayed. • Enter a name for the new GPO. • In the Source Starter GPO drop-down list, select the Starter GPO that you want to use as the source of the new GPO, and click OK. Lesson 10
Configuring Security Group Filtering • Remove the ACE entry for the Authenticated Users group that grants Read and Apply Group Policy permissions. • Grant these two permissions to only the groups that you want the GPO to affect. Lesson 10
Configuring Security Group Filtering (cont.) • Set the Apply Group Policy ACE to Deny for the specific group or groups that you want to exclude from the Group Policy. • The GPO will still apply to all other users because of the Authenticated Users ACE. • Open the Group Policy Management MMC snap-in. Lesson 10
Configuring Security Group Filtering (cont.) • Navigate to the GPO that you wish to modify. Click the Delegation tab, and then click Advanced. • If the Administrators group is not listed in the Group or User Names window, click Add. • Key Administrators in the Enter Object Names to Select box, and click OK. Lesson 10
Configuring Security Group Filtering (cont.) • Make sure that Administrators is selected, and click the Deny checkbox for the Apply Group Policy permission. • Click OK. Read the dialog box, and click Yes to continue. • Click OK to close the Properties dialog box for the GPO. Lesson 10
Configuring WMI Filtering • Open the Group Policy Management MMC snap-in. Drill down to <forest name>, click <domainname>, and then click WMI Filters. • Right-click the WMI Filters node, and click New. • In the Name and Description fields, enter a name and description for the new WMI filter. Lesson 10
Configuring WMI Filtering (cont.) • In the Queries section, click Add. The WMI Query window will be displayed. • Enter the desired query information, and click OK. • Click Save to create the WMI filter. Lesson 10
Configuring WMI Filtering (cont.) • Navigate to the Group Policy Objects node. • Select the GPO to be assigned to this WMI filter. • On the Scope tab, select the name of the WMI filter you just created from the WMI Filtering drop-down box. • Click Yes to confirm your changes. Lesson 10
Using the Resultant Set of Policy Wizard • Click Start, and click Run. • Key mmc, and pressEnter. • From the File menu, select Add/Remove Snap-in, and then click the Add button. • Select the Resultant Set of Policy snap-in from the Add Standalone Snap-in windows. • Click Add, and then click Close. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • Click OK to finish creating the new console window. • In the left console pane, select Resultant Set of Policy. • From the Action menu, select Generate RSoP Data to launch the RSoP Wizard, and click Next. • In the Mode selection page, select Planning Mode, and click Next to continue. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • In the User and Computer Selection page, complete the appropriate fields to select the user or computer for which you wish to simulate policy settings, and click Next to proceed. • In the Advanced Simulation Options page, you can choose to simulate your policy with additional conditions, such as slow links and loopback processing. • Click Next to continue. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • On the User Security Groups page, you can choose to simulate the effect of changing the user's security group memberships. • The settings on this page are optional. • Click Next to continue. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • On the Computer Security Groups page, you can simulate changes to the computer's security groups. • The settings on this page are optional. • Click Next to continue. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • On the WMI Filters for Users page, select any filters that you would like to include in your simulation. • The page settings here are optional. • Click Next to continue. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • On the WMI Filters for Computers page, select any filters that you would like to include in your simulation. • The page settings here are optional. • Click Next to continue. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • On the Summary of Selections page, review your simulation query information. • Change the domain controller on which you wish to process the simulation, if necessary, and click Next to generate the report. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • Click Finish to close the wizard. • The results of your query will be displayed in an MMC window that looks similar to a Group Policy Object Editor window. • The MMC can be saved with the results of the query. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • In the left console pane, select Resultant Set of Policy. • From the Action menu, select Generate RSoP Data to launch the RSoP Wizard, and click Next. • From the Mode Selection page, select Logging Mode, and click Next to continue. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • On the Computer Selection page, you can select This Computer, or select Another Computer and key the name of the computer. • If you are not sure of the computer name, you can click Browse to find the computer for which you wish to perform the query. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • The other option on this page is to click the Do Not Display Policy Settings for the Selected Computer in the Results Display checkbox. • This will eliminate the computer policy settings from the results window. • Click Next to continue. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • On the User Selection page, select the appropriate bullet for the user for whom you wish to display query results. • If you chose a computer instead of a user in the User and Computer selection page and do not wish to have user policy settings displayed in the final results, you can click the Do Not Display User Policy Settings in the Results checkbox. • Click Next to continue. Lesson 10
Using the Resultant Set of Policy Wizard (cont.) • On the Summary of Selections page, verify your desired query information. • Click the checkbox to show error information, and click Next to begin the analysis. • Click Finish to close the wizard. The MMC window will display the results of your request. Lesson 10
Creating a Group Policy Modeling Query • From the Administrative Tools folder on the Start menu, open Group Policy Management. • Browse to the forest or domain in which you want to create a Group Policy Modeling query. • Right-click Group Policy Modeling, and then click Group Policy Modeling Wizard. Lesson 10
Creating a Group Policy Modeling Query (cont.) • On the Welcome to the Group Policy Modeling Wizard page, click Next. • Complete the remaining pages by entering the information that will build the appropriate simulation criteria. • These remaining pages are the same as those you completed using the Resultant Set of Policy MMC in Planning mode. Lesson 10
Creating a Group Policy Results Query • From the Administrative Tools folder on the Start Menu, open Group Policy Management. • Browse to the forest or domain from which you want to view query results. • In Group Policy Management, navigate to and right-click Group Policy Results. • Select Group Policy Results Wizard. Lesson 10
Creating a Group Policy Results Query (cont.) • On the Welcome to Group Policy Results Wizard page, click Next. • On the Computer Selection page, select the current computer, or click Browse to select another computer. • Click Next to continue. Lesson 10
Creating a Group Policy Results Query (cont.) • On the User Selection page, select the current user, or specify another user for whom you wish to obtain policy results. Click Next. • On the Summary of Selections page, verify your criteria, and click Next. • Click Finish to close the Completing the Group Policy Results Wizard page. Lesson 10
You Learned • Application of group policies can be filtered by using Block Policy Inheritance, No Override, permissions, and WMI filters. • WMI filters allow administrative control over group policy implementation based on criteria defined in the filter. After evaluation, all filter criteria must return a value of true for the policy to be applied. Any criteria that return a value of false after evaluation will prevent the policy from being applied. Lesson 10
You Learned (cont.) • Only one WMI filter can be applied to each GPO. • GPMC can be used to manage all aspects of Group Policy, including the following: creation, linking, editing, reporting, modeling, backup, restore, copying, importing, and scripting. • Determining effective group policies can be accomplished using RSoP, GPMC, or GPResult. Lesson 10
You Learned (cont.) • RSoP is an MMC snap-in that has two modes: Planning and Logging. Planning mode allows administrators to simulate policy settings prior to their deployment. Logging mode reports on the results of existing policies. Lesson 10
You Learned (cont.) • Delegating administrative control of Group Policy management tasks is an important feature when planning a decentralized administrative approach. GPMC is a comprehensive tool that simplifies delegation of all aspects of Group Policy management. Lesson 10