Designing Group Policy

1
Designing Group Policy

• Planning Deployment of Group Policy
• Troubleshooting Group Policy

2
Planning Deployment of Group Policy

• Group Policy overview
• Planning Group Policy inheritance
• Filtering Group Policy by using security groups

3
Group Policy Overview

• Group Policy allows centralized control of user
  and computer configuration settings.
• Group Policy uses Active Directory to centralize
  management and standardize security settings.
• Use the Block Policy Inheritance attribute or the
  No Override attribute to modify the default
  inheritance model.

4
Planning Group Policy Inheritance

• Inheritance simplifies Group Policy
  administration by allowing widespread policy
  settings only to higher-level organizational
  units (OUs).
• Group Policy can be applied at different levels
  within Active Directory by defining Group Policy
  objects (GPOs) that are linked to sites, domains,
  or OUs.
• The Group Policy is applied to all computer or
  user objects within the container where the Group
  Policy object is defined.
• Effective permissions are based on the
  inheritance model.
• The settings applied to an OU typically take
  precedence.

5
Group Policy Application Order
6
Assessing Group Policy Application

• Security requirements must be met without
  significantly affecting logon performance.
• Use the following design strategies
• Disable unused portions of Group Policy.
• Minimize the levels at which Group Policy is
  applied.
• Avoid cross-domain Group Policy object
  assignments.

7
No Override and Block Policy Inheritance
8
Making the Decision Designing Group Policy

• Simplify the troubleshooting of Group Policy.
• Minimize the time spent processing Group Policy
  during logon.
• Prevent blocking of key Group Policy settings.
• Prevent users from changing configuration by
  applying Local Group Policies.
• Apply central Group Policy that will affect all
  users.
• Apply specific Group Policy to a limited number
  of computers or users.

9
OU Structure for the Engineering Domain
10
OU Structure for the Wide World Importers Domain
11
Filtering Group Policy by Using Security Groups

• Group Policy is not applied to security groups.
• Group Policy is based on the location of objects
  within the Active Directory hierarchy.
• By default, Group Policies apply to all users and
  computers within a site, domain, or OU.
• Use security groups to filter Group Policy
  application so that it applies only to specific
  users and groups within a given object.
• When defining a Group Policy object, define which
  security groups will be able to Read and Apply
  Group Policy in the Group Policy objects
  Security tab.

12
Making the Decision Designing Group Policy
Filtering Strategies

• Ensure that a Group Policy is applied to a
  security group.
• Prevent an OU administrator from blocking
  inheritance.
• Prevent application of a Group Policy object to
  a specific group of users or computers.

13
Applying the Decision Group Policy Filtering at
Wide World Importers

• Create two custom domain local groups named
  FullTimeGP and ContingentGP.
• Create two custom global groups named
  FullTimeEmployees and ContingentStaff that
  contain all full-time staff and all contingent
  staff.
• Configure the security for the Office Group
  Policy so that only the FullTimeGP domain local
  group has Read and Apply Group Policy
  permissions.
• The network administrators could also configure
  the Office Group Policy to have the No Override
  attribute.

14
Troubleshooting Group Policy

• Assessing Group Policy Troubleshooting

15
Assessing Group Policy Troubleshooting

• Inspect the Active Directory hierarchy.
• Inspect applied Group Policies by using the
  Gpresult utility.

16
Gpresult Utility

• Gpresult /V /S /C /U /?
• /V runs Gpresult in verbose mode.
• /S runs Gpresult in super verbose mode.
• /C only displays the Group Policy objects applied
  to the computer.
• /U only displays the Group Policy objects applied
  to the user.

17
Making the Decision Troubleshooting Group
Policy Application

• Determine all possible locations where Group
  Policy objects might be defined.
• Determine whether the Group Policy that was
  applied is a user or computer configuration
  setting.
• Determine why a higher-level Group Policy is not
  applied.
• Determine why a lower-level Group Policy is not
  applied.
• Determine why a Group Policy does not apply to
  all computers or users within a site, domain, or
  OU.

18
Applying the Decision Troubleshooting Group
Policy Application at Wide World Importers

• Verify the location of Dons user account in
  Active Directory.
• Determine where Group Policies might exist that
  could affect Don's user account for application
  of Group Policy.
• Run Gpresult to determine all user Group Policies
  that were applied to Don's user account at logon.
• Determine if filtering is affecting the Group
  Policy application.

19
Chapter SummaryDesigning Group Policy

• Group Policy overview
• Planning Group Policy inheritance
• Filtering Group Policy by using security groups
• Assessing Group Policy troubleshooting