Академический Документы
Профессиональный Документы
Культура Документы
Group Policy
based settings
Security settings
Software installation
Scripts
Folder redirection
Remote Installation Services
Internet Explorer maintenance
Registry-based Settings
Control over desktop, control panel access,
authorities
IP Security Policies IP security
Software Installation
Use to install software
Use to upgrade software
Three methods
Script Settings
Assign scripts (login, logout etc.)
Set processing order
Folder Redirection
Redirect special folders
Choices
No redirection
Direct to same location
Different locations based on security
groups
Properties of GPO/General
disable it
No Override
container
Filter using security groups
No override
Disabled: the GPO is not applied to this
container
sync
\Software\Policies (preferred)
\Software\Microsoft\Windows\CurrentVersi
on\Policies
(SDOU)
Multiple OUs order of application is
according to domain hierarchy (start at top of
tree and work down)
Multiple GPOs for same OU processed in
reverse order of list of GPOs shown for that OU
On boot
According to periodic refresh cycle
User settings
On user logon
According to periodic refresh cycle
Conflicts
Where settings for GPO of parent container
emulator by default
Minimise conflicts
To change
Loopback Processing
Computer settings part of GPO linked to
Delegation
It is possible to delegate responsibility
Managing links
Creating GPOs
Editing GPOs
domain
Common Desktop
Management Scenarios
Package containing GPOs developed for six
Common Desktop
Management Scenarios
NB Loading GPOs into AD does not
GPO changes
Common Desktop
Management Scenarios
White paper
http://www.microsoft.com/technet/treeview/
default.asp?url=/TechNet/prodtechnol/wind
ows2000serv/deploy/grppolsc.asp
All files
http://www.microsoft.com/windows2000/zip
docs/grouppolscen.exe
OU Design Issues
Deep OU structure
Flat OU structure
Less to manage
Shorter logon times
More to manage
Likely to need to more filtering
Increased logon times
Recommendations
Disable unused parts of GPO (computer,
user settings)
Limit use of inheritance blocking, no
override, loopback processing and
filtering
Simplifies troubleshooting
a user or computer
Recommendations cont.
Limit the number of admins who can edit
GPOs
Test thoroughly before applying to
users/computers
Document settings
References
Windows 2000 Group Policy
http://www.microsoft.com/windows2000/do
cs/grouppolwp.doc
Loopback Processing of Group Policy
http://support.microsoft.com/support/kb/arti
cles/Q231/2/87.ASP
http://support.microsoft.com/support/kb/arti
cles/Q260/3/01.ASP
References
Group Policy Application Rules for Domain
Controllers
http://support.microsoft.com/support/kb/articles/Q2
59/5/76.ASP
http://support.microsoft.com/support/kb/articles/Q2
21/9/30.ASP
http://support.microsoft.com/support/kb/articles/Q2
55/5/50.ASP
Diagnosing Problems
Resource kit
Gpotool.exe
Gpresult.exe
FAZAM 2000
Help to see end results of applying a number of
GPOs
http://www.microsoft.com/windows2000/techinfo/re
skit/tools/existing/fazam2000-o.asp
Reduced functionality version
http://www.fullarmor.com/solutions/group/
Full, commercial version