Design Group Policies to control the user environment

1
Goals

• Design Group Policies to control the user
  environment
• Design Group Policies to control the computer
  environment
• Understand Group Policy application
• Design a Group Policy administration strategy
• Design a Group Policy deployment strategy

2
(Skill 1)
Designing Group Policies to Control the User
Environment

• Group Policy
• Can be used to define a users desktop
  environment by managing various components
• Contains two primary nodes
• User Configuration Affects environment
  associated with user accounts
• Computer Configuration Responsible for defining
  configuration changes to computer accounts (see
  Skill 2)

3
(Skill 2)
Designing Group Policies to Control the Computer
Environment

• Computer Configuration node
• Responsible for defining configuration changes to
  computer accounts
• Changes apply to the computer account regardless
  of the user that is logged in
• Settings take precedence over user configuration
  settings if there is a conflict
• Use same process to design computer configuration
  policies as used for designing user configuration
  policies

4
(Skill 3)
Understanding Group Policy Application

• Role of Group Policy begins when a computer
  starts up and user logs on (see Figure 11-1 for
  description of process of computer startup and
  user logon)
• Group Policies are inherited from parent
  containers to child containers
• Possible to set a separate Group Policy for a
  child container to override settings it inherits
  from its parent container
• Group Policies do not flow between domains
• Exception A Group Policy applied to a site
  affects all users and/or computers in the site,
  regardless of domain

5
(Skill 3)
Understanding Group Policy Application (2)

• Processing sequence
• If no conflicts within policies, all settings
  from all policies apply
• If a conflict occurs, the policy to apply last
  wins
• Sequence in which Group Policy settings are
  applied
• Local GPO
• Site GPO
• Domain GPO
• OU GPOs

6
(Skill 3)
Understanding Group Policy Application (3)

• If more than one GPO is linked to a site, domain,
  or OU, policies are processed in reverse order
  (bottom to top) for each container
• Exceptions to order in which GPOs are processed
• If a computer belongs to a workgroup, it
  processes only local GPOs
• If the No Override option is set for a GPO, no
  configured policy settings in the GPO can be
  overridden
• In case of multiple GPOs set to No Override, the
  GPO that is highest in the Active Directory
  hierarchy gets highest priority if multiple GPOs
  in a single container, the one at the bottom of
  the list wins

7
(Skill 3)
Understanding Group Policy Application (4)

• If Block Policy Inheritance is set for a domain
  or OU, the GPOs above that point in the structure
  are blocked
• If there is a conflict between No Override and
  Block Inheritance, No Override always wins
• If Loopback settings are applied to a GPO list,
  the default GPO processing order is not
  maintained
• Group Policies are never applied to Windows NT,
  95, 98 or Windows Me computers

8
(Skill 3)
Figure 11-1 The sequence in which computer
configuration and user configuration settings are
applied
9
(Skill 3)
Figure 11-2 The GPO list
10
(Skill 4)
Figure 11-3 The components of GPO administration
11
(Skill 5)
Designing a Group Policy Deployment Strategy

• Factors to consider when implementing Group
  Policy
• Location of GPOs
• Delegation of authority
• Organization structure

12
(Skill 5)
Designing a Group Policy Deployment Strategy (2)

• Major types of Group Policy implementation
  strategies
• Centralized vs. decentralized GPO design
• Functional role or team design
• Delegation with central control design or
  distributed control design

13
(Skill 5)
Designing a Group Policy Deployment Strategy (3)

• Centralized vs. decentralized GPO design
• Centralized approach suggests organization
  network should be maintained by a small number of
  large GPOs
• Decentralized approach uses separate GPOs for
  specific policy settings

14
(Skill 5)
Designing a Group Policy Deployment Strategy (4)

• Functional role or team design
• Uses functional roles of users in the
  organization to apply Group Policy
• Create an OU structure that corresponds to the
  team structure of the organization
• Create a GPO for each OU
• Minimizes the number of GPOs to be used as each
  GPO caters to the needs of a group

15
(Skill 5)
Designing a Group Policy Deployment Strategy (5)

• Delegation with central control design or
  distributed control design
• Central control is based on delegating the
  administrative control of OUs to various
  administrators of an organization
• As an example, create a GPO with specific desktop
  settings at the domain level
• Settings would apply on all child containers,
  thus maintaining centralized control on the
  entire domain

16
(Skill 5)
Designing a Group Policy Deployment Strategy (6)

• Resultant Set of Policy (RSoP)
• Useful tool for troubleshooting Group Policies
• Shows the effective Group Policy settings applied
  to a user, and the GPOs from which those settings
  are inherited
• New feature in Windows Server 2003
• Similar to gpresult.exe, which is included in
  Windows 2000 Resource Kit for Windows 2000 domains