PRACTICAL EXAM #2.

1
PRINT MANAGEMENT
Objectives 2

 Describe the architecture and processing of group policies

 Configure group policy settings, and manage and monitor
group policies
 Work with security templates
 Configure Windows Firewall with Group Policy

© Cengage Learning 2015

Introducing Group Policies 3

 A Group Policy Object (GPO) is a list of settings

that administrators use to configure user and
computer operating environments remotely
 The GPO scope defines which objects a GPO
affects
 Installing Active Directory creates two GPO’s by
default:
 Default Domain Policy
 Default Domain Controllers Policy

© Cengage Learning 2015

Introducing Group Policies 4

 You can view, create, and manage GPO’s by

using the Group Policy Management console
(GPMC)
 Each GPO has two main nodes in GPMC:
 Computer Configuration - Used to set policies that
apply to computers within the GPO’s scope
 User Configuration - Used to set policies that apply
to all users within the GPO’s scope
 Each node contains a Policies folder and
Preferences folder

© Cengage Learning 2015

 5

Figure 6-31 The Group Policy Management console

© Cengage Learning 2015

The Computer 6

Configuration Node
 Three folders under the Policies folder contain the
following information:
 Software Settings - enables Administrators to install
and manage applications remotely
 Windows Settings - contains Name Resolution Policy
node, Scripts extension, Security Settings node, and
the Policy-based QoS node
 Administrative Templates - contains the Control
Panel, Network, Printers, System, and Windows
Components folders.

© Cengage Learning 2015

The User Configuration 7

Node
 Policies folder contains the same three folders
as in the Computer Configuration node, but
policies defined here affect domain users
within the GPO’s scope:
 Software Settings - can assign or publish
application packages
 Windows Settings – Contains four items:
 Scripts extension
 Security Settings node
 Folder Redirection node
 Policy based QoS node
 Administrative templates - contains settings
that enable administrators to control users’
computer and network environments

© Cengage Learning 2015

How Group Policies Are 8

Applied
 GPO’s can be applied in four places:
 Local Computer
 Site
 Domain
 Organizational Unit
 Policies are applied in the above order
 Policies that are not defined or configured are not
applied at all
 Last policy to be defined takes precedence

© Cengage Learning 2015

Group Policy Architecture 9

 Group policy architecture and function involve the following

components:
 GPOs - an object containing policy settings that affect user and
computer operating environments and security. Can be local or
AD objects
 Replication - ensures that all domain controllers have a current
copy of each GPO
 Scope and inheritance - the scope of a group policy defines
which users and computers are affected by its settings
 Creating and linking - GPOs are created in the Group Policy
management console and can be linked to one or more AD
containers

© Cengage Learning 2015

Group Policy Objects 10

 A GPO contains policy settings for managing

many aspects of domain controllers, member
servers, member computers, and users
 Two main types of GPOs:
 Local GPOs
 Domain GPOs

© Cengage Learning 2015

Local GPOs 11

 Local GPOs are stored on local computers, and are edited

via the Group Policy Object Editor snap-in
 Settings in local GPOs that are inherited from domain GPOs
can’t be changed on the local computer.
 Only settings that are undefined or not configured by
domain GPOs can be edited locally
 When you run gpedit.msc, you open a local GPO named
Local Computer Policy containing Computer Configuration
and User Configuration nodes

© Cengage Learning 2015

Local GPOs 12

 Local GPOs that allow different policy settings

depending on who logs on to the computer:
 Local Administrators GPO
 Local Non-Administrators GPO
 User-specific GPO
 To access these GPOs, add the Group Policy
Object Editor snap-in to an MMC
 Browse to open the dialog box, click the Users tab,
and select one of the GPOs

© Cengage Learning 2015

 13

Figure 8-2 Viewing local GPOs

© Cengage Learning 2015

Domain GPOs 14

 Domain GPOs are stored in Active Directory on

domain controllers
 Consists of two separate parts: a Group Policy
Template (GPT) and a Group Policy Container
(GPC)
 GPT and GPC have the following common traits:
 Naming structure
 Folder structure
 Knowing GPO structure is important for resolving
issues

© Cengage Learning 2015

Group Policy Templates 15

 A Group Policy Template (GPT) contains all the

policy settings that make up a GPO as well as
related files, such as scripts, and is contained in
the Sysvol share on a domain controller
 Upon creation of a GPO, several files and
subfolders are created (exact number may vary)
but each GPT folder will contain at least three
items:
 GPT.ini
 Machine
 User

© Cengage Learning 2015

Group Policy Containers 16

 A Group Policy Container (GPC) is stored in the

System\Policies folder
 Contains GPO properties and status information but no policy
settings
 Similar to GPT in that it uses a GPO’s GUID for a folder name
 Information contained in a GPC:
 Name of the GPO
 File path to GPT
 Version
 Status

© Cengage Learning 2015

 17

Figure 8-4 Viewing GPC attributes

© Cengage Learning 2015

Group Policy Replication 18

 GPCs are replicated with Active Directory

 GPTs are replicated by one of the following methods:
 File Replication Service (FRS) - used when running in a mixed
environment of differing Windows Server operating systems
 Distributed File System Replication (DFSR) - used when all DCs
are running Windows Server 2008
 DFSR is more efficient and reliable
 GPC and GPT can become out of sync
 Replication problems can be diagnosed with gpotool.exe

© Cengage Learning 2015

Creating and Linking 19

GPOs
Primary tools for managing, creating, and editing GPOs are
Group Policy Management Console (GPMC) and Group
Policy Management Editor (GPME)
 If editing a GPO that is already linked to a container,
changes in policy settings take effect as soon as clients
download them
 There’s no Save option in the GPME; changes are saved
immediately
 Before introducing multiple policy changes at once, test
them individually

© Cengage Learning 2015

Editing an Existing GPO 20

 To edit, right click the GPO in GPMC and click

Edit, which will open the GPO in GPME
 It is possible to make changes to the default
Domain Policy, but not advisable
 Recommended method for making changes to
domain policies is creating a new GPO and
linking it to the domain
 GPOs are applied to objects in reverse of the
specified link order

© Cengage Learning 2015

 21

Figure 8-8 Multiple GPOs linked to a container

© Cengage Learning 2015

Creating a New GPO 22

 Two ways to create a new GPO with the GPMC:

 Right click the container you’re linking the GPO to
and select “Create a GPO in this domain, and Link it
here”
 Right click the Group Policy Objects folder and click
New
 Best practice is to create GPOs that focus on a
category of settings, then name the GPO
accordingly

© Cengage Learning 2015

Using Starter GPOs 23

 A Starter GPO is a template for creating GPO’s

(not a GPT)
 New GPO wizard includes an option to use a
Starter GPO
 Stored in the Starter GPOs folder in GPMC
 To use a Starter GPO, select one in the Source
Starter GPO list box in the New GPO Wizard, or
right click a starter GPO in the starter GPOs folder
and click New GPO from Starter GPO
 To create a Starter GPO, right click the Starter
GPOs folder and click New

© Cengage Learning 2015

Group Policy Scope 24
 The scope of a group policy defines which objects in
AD are affected by settings in the policy
 If two GPOs are applied to an object, and a setting is
configured on one GPO but not the other, the
configured setting is applied
 Policies are applied in this order:
 1. Local policies
 2. Site-linked GPOs
 3. Domain-linked GPOs
 4. OU-linked GPOs
 The last policy applied takes precedence over
policies applied earlier

© Cengage Learning 2015

Understanding Site-Linked 25

GPOs
 GPOs linked to a site object affect all users and
computers physically located at the site
 Can be used to set up different policies for mobile
users
 In a singular site and domain environment, it is
better to use domain GPOs
 Site GPOs can be confusing for users if policy
changes are drastic enough between sites

© Cengage Learning 2015

Understanding Domain- 26

Linked GPO
 GPOs at the domain level should contain settings
that apply to all objects in the domain
 Account policies can be defined only at the
domain level
 Active Directory folders, such as Computers and
Users, are not OUs and can’t have a GPO linked
to them
 Best practices suggest setting account policies
and a few critical security policies at the domain
level

© Cengage Learning 2015

Understanding OU-Linked 27

GPOs
 Fine-tuning of group policies should be done at
the OU level
 OU-linked policies are applied last
 They take precedence over site and domain
policies
 Users and computers with similar policy
requirements should be located in the same OU
 Since OUs can be nested, so can GPOs
 GPOs applied to nested OUs should be used for
exceptions to policies set at a higher level

© Cengage Learning 2015

Changing Default GPO 28

Inheritance Behavior
 GPO inheritance is enabled by default
 To see where policies are inherited from, select a
container in the left pane of GPMC and click the
group policy inheritance tab in the right pane
 There are several ways to affect GPO inheritance:
 Blocking inheritance
 Enforcing inheritance
 GPO filtering

© Cengage Learning 2015

Blocking GPO Inheritance 29

 Prevents GPOs linked to parent containers from

affecting child containers
 To block GPO inheritance, in GPMC, right click the
child domain or OU and click Block Inheritance
 If blocking is enabled, the OU or domain object is
displayed with a blue exclamation point
 Inheritance blocking should be used sparingly
 Frequent blocking implies a possible flawed OU
design

© Cengage Learning 2015

Enforcing GPO 30

Inheritance
 Forcing GPO Inheritance overrides any conflicting
configurations at a deeper level
 A GPO that’s enforced has the strongest
precedence of all GPOs in its scope
 If multiple GPOs are enforced, the GPO at the
highest level is enforced in a conflict
 Example: If a GPO linked to an OU and a GPO
linked to a domain are both set to be enforced,
the GPO linked to the domain has stronger
precedence

© Cengage Learning 2015

 31

Figure 8-11 The Active Directory Structure for GPO inheritance examples

© Cengage Learning 2015

GPO Filtering 32

 GPO filtering - a method to alter the normal scope of a GPO

and exclude certain objects from being affected by its
settings
 Two types of GPO filtering:
 Security filtering
 Windows Management Instrumentation (WMI) filtering
 Security filtering uses permissions to restrict objects from
accessing a GPO
 Use the Security Filtering dialog box in the GPMC to add or
remove security principals from the GPO access list

© Cengage Learning 2015

 33

Figure 8-12 Viewing security filtering settings

© Cengage Learning 2015

GPO Filtering 34

 Another way to use security filtering is to edit the

GPO’s DACL directly
 In the GPMC, click the GPO in the Group Policy
Objects folder, and click the Delegation tab in the
right pane to see a complete list of ACEs for the
GPO
 WMI filtering uses queries to select a group of
computers based on certain attributes, and then
applies or doesn’t apply policies based on the
query’s results

© Cengage Learning 2015

Group Policy Settings 35

 Settings in Computer Configuration take precedence over

settings in User Configuration, should there be a conflict
 Three folders under the Policies folder:
 Software Settings
 Windows Settings
 Administrative Templates
 Policy settings can be managed or unmanaged
 Managed policies reset to ‘Not configured’ when the object
falls outside of the policy’s scope
 Unmanaged policies are persistent

© Cengage Learning 2015

Policies in the Computer 36

Configuration Node
 The Computer Configuration node applies
policies to computers regardless of who logs on to
the computer
 Contains most of the security related settings in
the Account Policies, User Rights Assignment,
Audit Policy, and Security Options nodes
 Computer configuration policies are uploaded to
a computer when the OS starts and are updated
every 90 minutes thereafter
 Some policy changes may require a restart

© Cengage Learning 2015

Computer Configuration: 37

Software Settings
 Contains the Software Installation extension,
which can be configured to install software
packages remotely
 Applications are deployed with the Windows
Installer service, which uses MSI files
 An MSI file is a collection of files packaged into a
single file with an .msi extension
 Contains the instructions Windows Installer needs to
install the application correctly

© Cengage Learning 2015

Computer Configuration: 38

Windows Settings
 The Windows Settings folder contains four
subnodes:
 Name Resolution Policy - used to deploy DNS
security (DNSSEC) policies to clients
 Scripts (Startup/Shutdown) - allows the creation of
scripts to be run during startup or shutdown
 Security Settings - contains subnodes for setting
security policies
 Policy-based QoS - enables administrators to
manage the use of network bandwidth and
prioritize network packets based on type of data in
the packet

© Cengage Learning 2015

Security Settings 39

 There are over 100 policies under Security Settings

 Some of the most important are under Account
Policies and Local Policies
 Many of the important policies are covered in the
following sections

© Cengage Learning 2015

Local Policies: Audit Policy 40

 Applies to what users can and can’t do on the local

computer to which they log on
 Administrators can audit events such as logon and logoff, file
and folder access, Active Directory access, and system and
process events
 Can be enabled for successful events, failed events, or both
 Creates a lot of system overhead so it should be used
sparingly
 Events created by auditing are listed in the Security log

© Cengage Learning 2015

Auditing Object Access 41

 There are two steps for auditing objects:

 Enable the “Audit object access” policy for success,
failure, or both
 Enable auditing on target objects for success,
failure, or both
 After object access is enabled in Group Policy,
you need to enable auditing on the target object
 Do this by changing the system access control list
(SACL) for the object in the Auditing tab of the
Advanced Security Settings dialog box for the
object

© Cengage Learning 2015

 42

Figure 8-15 The Auditing tab for a folder

© Cengage Learning 2015

Changing Default 43

Auditing
 Windows Server 2012/R2 logs successful logon
events and certain other events by default
 You must use the auditpol.exe command-line tool
to have more control over the types of events
that are audited
 To clear all audit policy subcategories so that
auditing is controlled only by Group Policy, type:
 auditpol /clear

© Cengage Learning 2015

Local Policies: User Rights 44

Assignment
 User rights define the actions users can take on a
computer
 More than 40 user rights polices can be assigned
 The Default Domain Controllers Policy specifies
User Rights Assignment policies that define actions
users can take on domain controllers

© Cengage Learning 2015

Local Policies: Security 45

Options
 This subnode includes almost 100 settings
 One category of security policies to configure
right away is User Account Control
 Determine what happens on a computer when a
user attempts to perform an action that requires
elevation
 Elevation - a process that occurs when a user
attempts to perform an action requiring
administrative rights and is prompted to enter
credentials

© Cengage Learning 2015

Local Policies: Security 46

Options
Additional settings that are commonly configured:
 Accounts: Administrator account status
 Accounts: Guest account status
 Accounts: Limit local account use of blank passwords to console
logon only
 Accounts: Rename administrator account
 Accounts: Rename guest account
 Interactive logon: Do not display last user name
 Interactive logon: Do not require CTRL+ALT+DEL
 Microsoft network server: Disconnect clients when logon hours
expire

© Cengage Learning 2015

Computer Configuration: 47

Administrative Templates
 Administrative Templates folder has the following
subnodes:
 Control Panel
 Network
 Printers
 Server
 Start Menu and Taskbar
 System
 Windows Components

© Cengage Learning 2015

Policies in the User 48

Configuration Node
 Policies set under the User Configuration node
follow a user wherever he or she logs on
 User Configuration node lacks most of the security
settings and account policies than Computer
Configuration node
 Policies under User Configuration node are more
focused on the user’s environment, such as
Windows features that can and can’t be
accessed

© Cengage Learning 2015

User Configuration: 49

Software Settings
 Performs the same function as in Computer
Configuration
 Because it’s defined in the User Configuration
node of a GPO, it affects users in the scope of the
GPO no matter where they log on

© Cengage Learning 2015

User Configuration: 50

Windows Settings
 Windows Settings contains four subnodes:
 Scripts (Logon/Logoff) - identical to Scripts policy,
except scripts specified here are run only by users in
the GPO’s scope
 Security Settings - contains two folders: Public Key
Policies and Software Restriction Policies
 Folder Redirection - controls which folders in a user’s
profile are redirected to a location outside the
user’s profile folder
 Policy-based QoS - the same function as in the
Computer Configuration node but applied to users

© Cengage Learning 2015

User Configuration: 51

Administrative Templates
 Affects the HKEY_CURRENT_USER section of the
computer’s Registry
 Very similar to the Administrative Templates in the
Computer Configuration node
 Contain the Control Panel, Network, Start Menu
and Taskbar, System, and Windows Components
subnodes as well as the following subnodes:
 Desktop
 Shared Folders

© Cengage Learning 2015

Managing GPO Status 52

and Link Status

 After a GPO is created, it can be in one of the
following states:
 Link status: unlinked
 Link status: enabled
 Link status: disabled
 GPO status: Enabled
 GPO status: User Configuration Settings Disabled
 GPO status: Computer Configuration Settings
Disabled
 GPO status: All Settings Disabled

© Cengage Learning 2015

Summary 53
 Group policy architecture and function involves three
components: GPOs, replication, scope and inheritance,
and creating and linking GPOs
 GPO replication is handled by Active Directory replication
for GPCs and by FRS or DFSR for GPTs
 You use the Group Policy Management console to create,
link, and manage GPOs and the Group Policy
Management Editor to edit GPOs
 Starter GPOs are like template files for GPOs
 GPOs can be linked to sites, domains, and OUs
 Default GPO inheritance can be changed by using
inheritance blocking, enforcement, and GPO filtering

© Cengage Learning 2015

Summary 54

 The Computer Configuration and User Configuration

nodes contain three subnodes: Software Settings,
Windows Settings, and Administrative Templates
 The Security Settings node in Computer Configuration
contains the Account Policies subnode with settings
that affect all domain users
 The Local Policies subnode in the Security Settings node
contains Audit Policy, User Rights Assignment, and
Security Options
 Administrative Templates can control hundreds of
settings on computers and for users

© Cengage Learning 2015

Summary 55

 Security templates are used to transfer security

settings easily from one GPO or computer to
another and can be used to analyze a computer’s
current settings against a security database
created from one or more security templates
 The ADMX central store can be created to ensure
that ADMX files are synchronized among all
computers where group policies are managed

© Cengage Learning 2015