Company Confidential

1

A Course on Planning A Group Policy Management

And Implementation Strategy

Prepared for: *Stars*

New Horizons Certified Professional Course

FILTERING GROUP POLICY’S SCOPE

• By default, settings flow from site to domain to OU.

• Three ways to control Group Policy settings inheritance– Block Policy Inheritance:– Security filtering– WMI filters

SECURITY FILTERING

WMI FILTERS

• Windows Management Instrumentation (WMI)

• Used for queries and filters concerning– Hardware– Software– Operating system type

• Can be linked to multiple GPOs

WMI FILTER EXAMPLES

Table 10-1 WMI Filter Examples

TTaarrggeett CCoommppuutteerr SSaammppllee WWMMII All computers that arerunning Windows XPProfessional

Select * from Win32_OperatingSystemwhere Caption = "Microsoft WindowsXP Professional"

All computers that havemore than 10 MB ofavailable drive space

on a C: NTFS partition

Select * from Win32_LogicalDiskWHERE Name= "C:" AND DriveType = 3AND FreeSpace > 10485760 ANDFileSystem = "NTFS"

All computers with amodem installed

Select * from Win32_POTSModemWhere Name = " MyModem"

FFiilltteerr SSttrriinngg

CREATING WMI FILTERS

GROUP POLICY MANAGEMENT CONSOLE (GPMC)

• Free add-on tool that can be used to manage Group Policy. Installs on:– Windows XP with Service Pack 1– Any edition of Windows Server 2003

• Can be used for:– Importing and copying GPO settings– Backing up and restoring of GPOs– Executing the Resultant Set of Policy (RSoP) snap-in– Generating HTML reports

INSTALLING GPMC

• GPMC is not on the Windows Server 2003 CD-ROM.

• Can be downloaded for free from the Microsoft

Web site.• In this course, gpmc.msi is on your

supplemental CD-ROM.– Double-click the gpmc.msi file and run through the

wizard.– Distribute through Group Policy.

GPMC CHANGES ACTIVE DIRECTORY USERS AND COMPUTERS

CREATING WMI FILTERS IN GPMC

LINKING WMI FILTERS

NAVIGATING WITH GROUP POLICY MANAGEMENT

INFORMATION DISPLAYED IN THE GPMC INTERFACE

DETERMINING & TROUBLESHOOTING EFFECTIVE POLICY SETTINGS

• Resultant Set Of Policy (RSoP) Wizard

• Group Policy Results

• Group Policy Modeling

• Gpresult.exe command line tool

RSOP LOGGING MODE

RSOP PLANNING MODE

GROUP POLICY MODELING IN GPMC

GROUP POLICY RESULTS

Gpresult.exe

DELEGATING GROUP POLICY ADMINISTRATIVE CONTROL

• Creation of GPOs

• Permissions on GPOs

• Linking of GPOs

• Use of Group Policy Modeling and Group Policy Results

• Creation of WMI filters

• WMI permissions

DELEGATING GPO CREATION

DELEGATING PERMISSIONS TO AN INDIVIDUAL GPO

GPMC Individual GPO Permissions

AAlllloowweedd PPeerrmmiissssiioonnssCCaatteeggoorryy UUnnddeerrllyyiinngg PPeerrmmiissssiioonnss aanndd EEffffeeccttss

Read Allows Read Access on the GPO.

Edit settings Includes Read, Write, Create Child Objects, andDelete Child Objects.

Edit, delete, andmodify security

Includes Read, Write, Create Child Objects, DeleteChild Objects, Delete, Modify Permissions, and Modify

Owner. Implies Full Control without the Apply GroupPolicy permission being set.

Read (fromSecurity Filtering)

An automatic setting that appears when a user hasRead and Apply Group Policy permissions to the GPO.

Custom These permissions include those set individuallyusing the ACL editor for the GPO. The ACL editor isinvoked by using the Advanced button and shows the

Security tab contents for the GPO.

DELEGATING LINKING, MODELING, AND RESULTS

DELEGATING WMI FILTERING

PLANNING GROUP POLICY INTEGRATION

• Create policies at the highest level possible.

• Limit the number of GPOs created.

• Create specialized GPOs for policies.

• Disable unnecessary portions (user or computer).

• Only apply GPOs to sites when settings are required on a site basis.

RECOMMENDATIONS ON GROUP POLICY INHERITANCE

• Limit use of the following:– No Override– Block Policy Inheritance– Security filtering

PLANNING ADMINISTRATION AND IMPLEMENTATION OF GPOS

• Determine which administrators will have policy delegation roles

• Test policy settings

• Document the plan

RESTORING DEFAULT SECURITY SETTINGS

CHAPTER SUMMARY

• Name two methods you can use to filter GPOs.

• How many WMI filters can be applied to each GPO?

• What can you do with GPMC?

• What two modes are available in RSoP?

• List ways in which you can delegate Group Policy control.