Transcript System and Group Policies Lecture 7 Hassan Shuja

System and Group
Policies
Lecture 7
Hassan Shuja
11/02/2004
Page 1
System and Group Policies
• System and Group Policies
– Used to manage user and computer environments
– Policies are set on the local computer while other policies are set at the
domain, site, or OU level
– Allows for central management
– Policies offer more options than User profiles
Page 2
System and Group Policies
• System Policies
– Policies created to manage non-Windows 2000 clients on a Windows 2000
network
– Provide a consistent environment for a large number of users
– User System Policy
– Two type a ‘individual user policy’ or a ‘Default user policy’
– Individual applies to a single user
– Default user policy needs to be created and will apply to users if they do not
have an individual user policy
– Group System Policy
– Applies to all users members of a group that do not have individual user policies
– If a user has multiple group policies, than they are applied from bottom to top
– The group at the top has the highest priority
Page 3
System and Group Policies
• System Policies
– Computer System Policy
– A collection of settings that specifies a local computer’s configuration
– Two types a ‘individual computer policy’ and a ‘Default computer policy’
– Individual applies to a single computer
– Default computer policy needs to be created and will apply to computers if they
do not have an individual computer policy
– Creating a System Policy
– Use a utility called the System Policy Editor (poledit.exe)
– Save the file as ntconfig.pol for NT clients and as config.pol for non-NT clients
– These files are saved under the NETLOGON share of the domain controller
Page 4
System and Group Policies
• Group Policies
– Used to manage Windows 2000 clients
– New feature in Windows 2000
– Central point of administration
– Define users’ environments and system configuration from one central location
– Can configure such things as the start menu, account policies, script assignments,
security settings, and software distribution
– Group Policies consist of two components
– An Active directory object called a Group Policy Object (GPO)
– A series of files and folders that are automatically when created when the GPO is
created
– GPO’s are associated with a specific AD container
– GPO’s also use inheritance
Page 5
System and Group Policies
• Group Policies
– Group Polices are applied based on user’s location in the Active Directory
– For example – If a domain has a group policy, that is applied first and then if the OU
that the user belongs to has a policy,that is applied second.
– If there is no conflicting policies than the policies are added but when conflicting
the OU policy takes precedence
– Group Policies can be set on each individual computer using the computer
without the use of AD
– These policies support same as AD except software installation and folder
redirection (gpedit.msc)
– Within AD, you can define three types of GPOs; domain, OU, site
– A Site is a collection of subnets on your network that high speed links connect
– Group Policies on Active Directory are created through “Active Directory Users and
Computers” or “Active Directory Sites and Services”
Page 6
System and Group Policies
• Group Policy
– Multiple GPOs can apply to a user object
– The GPO at the top has the highest priority and therefore processed last
– Policy inheritance works in the following method
– Local computer, Site Policy, Domain Policy, OU Policy
– You can block inheritance and you can also prevent inheritance (‘No Override’
setting) from being blocked
– If both of these settings are applied the No Override takes precedence over
blocking inheritance
– GPOs can be linked from one OU to another
– This cuts down on administration time
– A new AD object is created
Page 7
System and Group Policies
• Group Policy
– Most settings in a GPO have three states
– Unconfigured, enabled, disabled – By default all settings in a GPO are unconfigured
– Members of the Enterprise Admins group, Domain Admins, or domain
Administrators groups have the necessary permissions to create GPOs
– GP files are saved in %Systemroot%\SYSVOL\sysvol\domain_name\Policies folder
on the domain controller
– This allows for accessibility from anywhere in the domain and for replication to
other domain controllers
– One challenge is to determine the right policy to apply to your users (Know
what your users do and need before implementing)
Page 8