system and group policies
DESCRIPTION
System and Group Policies. Lecture 7 Hassan Shuja 11/02/2004. System and Group Policies. System and Group Policies Used to manage user and computer environments Policies are set on the local computer while other policies are set at the domain, site, or OU level - PowerPoint PPT PresentationTRANSCRIPT
Page 1
System and Group System and Group PoliciesPolicies
Lecture 7Hassan Shuja
11/02/2004
Page 2
System and Group PoliciesSystem and Group Policies
• System and Group Policies– Used to manage user and computer environments
– Policies are set on the local computer while other policies are set at the domain, site, or OU level
– Allows for central management– Policies offer more options than User profiles
Page 3
System and Group PoliciesSystem and Group Policies
• System Policies– Policies created to manage non-Windows 2000 clients on a Windows 2000
network– Provide a consistent environment for a large number of users
– User System Policy– Two type a ‘individual user policy’ or a ‘Default user policy’
– Individual applies to a single user– Default user policy needs to be created and will apply to users if they do not
have an individual user policy
– Group System Policy– Applies to all users members of a group that do not have individual user policies– If a user has multiple group policies, than they are applied from bottom to top
– The group at the top has the highest priority
Page 4
System and Group PoliciesSystem and Group Policies
• System Policies– Computer System Policy
– A collection of settings that specifies a local computer’s configuration– Two types a ‘individual computer policy’ and a ‘Default computer policy’
– Individual applies to a single computer– Default computer policy needs to be created and will apply to computers if they
do not have an individual computer policy
– Creating a System Policy– Use a utility called the System Policy Editor (poledit.exe)– Save the file as ntconfig.pol for NT clients and as config.pol for non-NT clients– These files are saved under the NETLOGON share of the domain controller
Page 5
System and Group PoliciesSystem and Group Policies
• Group Policies– Used to manage Windows 2000 clients
– New feature in Windows 2000
– Central point of administration– Define users’ environments and system configuration from one central location– Can configure such things as the start menu, account policies, script assignments,
security settings, and software distribution
– Group Policies consist of two components– An Active directory object called a Group Policy Object (GPO)– A series of files and folders that are automatically when created when the GPO is
created
– GPO’s are associated with a specific AD container– GPO’s also use inheritance
Page 6
System and Group PoliciesSystem and Group Policies
• Group Policies– Group Polices are applied based on user’s location in the Active Directory
– For example – If a domain has a group policy, that is applied first and then if the OU that the user belongs to has a policy,that is applied second.
– If there is no conflicting policies than the policies are added but when conflicting the OU policy takes precedence
– Group Policies can be set on each individual computer using the computer without the use of AD
– These policies support same as AD except software installation and folder redirection (gpedit.msc)
– Within AD, you can define three types of GPOs; domain, OU, site– A Site is a collection of subnets on your network that high speed links connect– Group Policies on Active Directory are created through “Active Directory Users and
Computers” or “Active Directory Sites and Services”
Page 7
System and Group PoliciesSystem and Group Policies
• Group Policy– Multiple GPOs can apply to a user object
– The GPO at the top has the highest priority and therefore processed last
– Policy inheritance works in the following method– Local computer, Site Policy, Domain Policy, OU Policy– You can block inheritance and you can also prevent inheritance (‘No Override’
setting) from being blocked– If both of these settings are applied the No Override takes precedence over
blocking inheritance
– GPOs can be linked from one OU to another– This cuts down on administration time– A new AD object is created
Page 8
System and Group PoliciesSystem and Group Policies
• Group Policy– Most settings in a GPO have three states
– Unconfigured, enabled, disabled – By default all settings in a GPO are unconfigured
– Members of the Enterprise Admins group, Domain Admins, or domain Administrators groups have the necessary permissions to create GPOs
– GP files are saved in %Systemroot%\SYSVOL\sysvol\domain_name\Policies folder on the domain controller
– This allows for accessibility from anywhere in the domain and for replication to other domain controllers
– One challenge is to determine the right policy to apply to your users (Know what your users do and need before implementing)