Microsoft Windows 2000 Server
Download
Report
Transcript Microsoft Windows 2000 Server
More GPO’s & GPP
Chapter 7
Agenda
• Group Policies (the day after)
• Group Policy Preferences
Group Policies (the day after)
• How can we keep track of what we have done or changed?
• We can name the policy appropriately based on function or grouping of settings
• Interactive_Logon_Policy
• Internet_Explorer_Policy
• The GPMC allows us to make comments regarding a particular policy.
• What should we comment on?
• Who’s in charge of the GPO
• Who to call if there is a problem?
• Who is supposed to be affected by this GPO?
• Detailed information about what this GPO should do
• Who will get fired if this doesn’t work
Group Policies (the day after)
• Comments…
• GPMCSelect PolicyEditRight click on Policy name (see below)Properties
Group Policies (the day after)
• Comments…
Group Policies (the day after)
• Controlling how GPO’s run
• Disable local GPOs from applying
• CCPoliciesAdmin TemplatesSystemGroup Policy
Group Policies (the day after)
• Controlling how GPO’s run
• Disable Link Enabled Status
• Disable “half” of a Group Policy
• Will speed up processing (not very noticeable)
Group Policies (the day after)
• Controlling how GPO’s run
• The Enforced Function
• Guarantees that policy settings within a GPO from a higher level are always inherited by
lower levels
• Right click on Policy and choose Enforce
Group Policy Preferences
Group Policy Preferences
• Group Policy Preferences (GPP)
• Extensions or “new settings”
• Adds more than 3000 policy settings!
• Modify the local administrator password on every desktop
• Create a shortcut on the desktop
• Different than normal GPO settings as they are “sorta” duplicate under user and
computer settings
Group Policy Preferences
• What’s the difference between Group Policies and Preferences?
• *Group Policy settings will:
• not tattoo. In other words, when a Group Policy object (GPO) goes out of scope,
the policy setting is removed allowing the original configuration value to be
used.
• supersede an application's configuration setting. In other words, when a GP
policy is configured to a value, the application is aware of that value and always
uses it over the configurable value.
• be recognized by an application. In other words, the display of the configuration
item under control of a GP policy setting will be unavailable through the user
interface. This is where graying out a configuration item on a menu, not
displaying a dialog box, or providing a pop-up message explaining the current
feature is under administrator control is used to inform the user they can't
configure an option.
• *http://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vspreference-vs-gp-preferences.aspx
Group Policy Preferences
• Group Policy Preference settings will:
• tattoo. In other words, when a GPO goes out of scope, the preference value will
remain in the registry. An administrator is responsible for making sure these
values are set to disable, prior to the GPO going out of scope, if the
administrator wants the preference setting removed. The preference setting will
not be replaced with the original application configuration value.
• overwrite an application's configuration setting. This is accomplished by
overwriting the original user configured-value for the application. No effort is
made to retain the original value before overwriting the value with the
preference setting. And, as was noted in 1, the overwritten value will not be
removed when the GPO goes out of scope.
• not be recognized by an application. In other words, the application's user
interface will allow a user to change the configuration item. Most importantly,
the Group Policy engine only recognizes when a GPO changes, not when the
preference value has been changed. This means the preference setting will be
applied once and not automatically reapplied if the user changes the value of the
configuration item.
Group Policy Preferences
• Group Policy PreferencesSettings are the similar for both user and computer
configurations
Group Policy Preferences
• Group Policy Preferences (GPP) are essentially an extension DLL (dynamic link
library) that does a bunch of stuff.
• Can be “undone” by the user
Group Policy Preferences
• Computer Configuration PreferencesWindows Settings
• Environment:
• Set user and system environment variables
• Change the Windows system path variable
• Files
• Copy files from point A to point B
• Server share to %Documents% on the local system
• Folders
• Create, delete or empty folders
• Network Shares
• Create shares on workstations or servers
• Shorcuts
• Place program or URL on desktops, startup folder, Programs folders, etc etc.
Group Policy Preferences
• Computer/User ConfigurationPreferencesControl Panel
Group Policy Preferences
Common Control Panel Settings
• Local users and groups
• Create/change local users
• Modify local user passwords
• Change local user group membership
• Power Options
• Create power options for XP
• Create power plans for Vista and later
Group Policy Preferences
Group Policy Preferences
• Printers
• ComputerLocal/IP
• UserLocal/IP/Shared
Summary
• You can add comments to help document GPOs
• Enforced Function overrules blocking of inheritance
• You can disable “half” of a GPO
• Group Policy settings are “undone” when the system or user falls out of scope
(Group Policy is changed/link removed or User/Computer is moved to another
container)
• GPP’s are extensions and stay with the system (tattoo’d) regardless of the Group
Policy falling out of scope (Group Policy removed/unlinked from OU)
• GPP’s can be undone by the users