11.1 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Goals Design Group Policies to control the user environment

Design Group Policies to control the computer environment

Understand Group Policy application

Design a Group Policy administration strategy

Design a Group Policy deployment strategy

11.2 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Group Policy

Can be used to define a user’s desktop environment by managing various components

Contains two primary nodes

User Configuration: Affects environment associated with user accounts

Computer Configuration: Responsible for defining configuration changes to computer accounts (see Skill 2)

Designing Group Policies to Control the User Environment

(Skill 1)

11.3 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Computer Configuration node

Responsible for defining configuration changes to computer accounts

Changes apply to the computer account regardless of the user that is logged in

Settings take precedence over user configuration settings if there is a conflict

Use same process to design computer configuration policies as used for designing user configuration policies

Designing Group Policies to Control the Computer Environment

(Skill 2)

11.4 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Role of Group Policy begins when a computer starts up and user logs on (see Figure 11-1 for description of process of computer startup and user logon)

Group Policies are inherited from parent containers to child containers

Possible to set a separate Group Policy for a child container to override settings it inherits from its parent container

Group Policies do not flow between domains

Exception: A Group Policy applied to a site affects all users and/or computers in the site, regardless of domain

Understanding Group Policy Application

(Skill 3)

11.5 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Processing sequence

If no conflicts within policies, all settings from all policies apply

If a conflict occurs, the policy to apply last wins

Sequence in which Group Policy settings are applied

Local GPO

Site GPO

Domain GPO

OU GPOs

Understanding Group Policy Application (2)

(Skill 3)

11.6 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

If more than one GPO is linked to a site, domain, or OU, policies are processed in reverse order (bottom to top) for each container

Exceptions to order in which GPOs are processed

If a computer belongs to a workgroup, it processes only local GPOs

If the No Override option is set for a GPO, no configured policy settings in the GPO can be overridden

In case of multiple GPOs set to No Override, the GPO that is highest in the Active Directory hierarchy gets highest priority; if multiple GPOs in a single container, the one at the bottom of the list wins

Understanding Group Policy Application (3)

(Skill 3)

11.7 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

If Block Policy Inheritance is set for a domain or OU, the GPOs above that point in the structure are blocked

If there is a conflict between No Override and Block Inheritance, No Override always wins

If Loopback settings are applied to a GPO list, the default GPO processing order is not maintained

Group Policies are never applied to Windows NT, 95, 98 or Windows Me computers

Understanding Group Policy Application (4)

(Skill 3)

11.8 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Figure 11-1 The sequence in which computer configuration and user configuration settings are applied

(Skill 3)

11.9 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Figure 11-2 The GPO list

(Skill 3)

11.10 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Figure 11-3 The components of GPO administration

(Skill 4)

11.11 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Factors to consider when implementing Group Policy

Location of GPOs

Delegation of authority

Organization structure

Designing a Group Policy Deployment Strategy

(Skill 5)

11.12 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Major types of Group Policy implementation strategies

Centralized vs. decentralized GPO design

Functional role or team design

Delegation with central control design or distributed control design

Designing a Group Policy Deployment Strategy (2)

(Skill 5)

11.13 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Centralized vs. decentralized GPO design

Centralized approach suggests organization network should be maintained by a small number of large GPOs

Decentralized approach uses separate GPOs for specific policy settings

Designing a Group Policy Deployment Strategy (3)

(Skill 5)

11.14 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Functional role or team design

Uses functional roles of users in the organization to apply Group Policy

Create an OU structure that corresponds to the team structure of the organization

Create a GPO for each OU

Minimizes the number of GPOs to be used as each GPO caters to the needs of a group

Designing a Group Policy Deployment Strategy (4)

(Skill 5)

11.15 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Delegation with central control design or distributed control design

Central control is based on delegating the administrative control of OUs to various administrators of an organization

As an example, create a GPO with specific desktop settings at the domain level

Settings would apply on all child containers, thus maintaining centralized control on the entire domain

Designing a Group Policy Deployment Strategy (5)

(Skill 5)

11.16 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 11: Planning Group Policy Implementation

Resultant Set of Policy (RSoP)

Useful tool for troubleshooting Group Policies

Shows the effective Group Policy settings applied to a user, and the GPOs from which those settings are inherited

New feature in Windows Server 2003

Similar to gpresult.exe, which is included in Windows 2000 Resource Kit for Windows 2000 domains

Designing a Group Policy Deployment Strategy (6)

(Skill 5)