Professional Documents
Culture Documents
PDF
Uploaded by
José MarquesOriginal Description:
Original Title
Copyright
Available Formats
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
Available Formats
PDF
Uploaded by
José MarquesCopyright:
Available Formats
Module 5: Designing for Group Policy
Contents Overview Lesson: Gathering Data for Group Policy Design Lesson: Designing a Group Policy Structure Lesson: Creating an Organizational Unit Structure for Group Policy Lesson: Creating a Design for Managing Group Policy Lab A: Designing a Group Policy Structure 1 2 11 22 30 37
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2003 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, BackOffice, Microsoft Press, MSDN, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Module 5: Designing for Group Policy
iii
Instructor Notes
Presentation: 130 minutes Lab: 60 minutes This module provides students with the knowledge and skills they need to gather and analyze information about an organization and its business requirements, and to use that information to design a Group Policy structure. The module also covers how to create an organizational unit structure for Group Policy, as well as how to create a design for managing Group Policy. After completing this module, students will be able to:
! ! ! !
Determine the information needed to design for Group Policy. Design a Group Policy structure. Create an OU structure for Group Policy. Create a Group Policy management design.
Required materials
To teach this module, you need Microsoft PowerPoint file 2282A_05.ppt. Important It is recommended that you use PowerPoint 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, features of the slides might not be displayed correctly.
Preparation tasks
To prepare for this module:
! ! !
Read all of the materials for this module. Complete the practices. Complete the lab, practice discussing the answers, and become familiar with the lab environment. Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials compact disc.
Classroom setup
The information in this section provides setup instructions that are required to prepare the instructor computer or classroom configuration for a lab. The computers in the classroom should be set up in the configuration specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2282A, Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure. No additional classroom setup is required to perform the lab in this module.
iv
Module 5: Designing for Group Policy
How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Gathering Data for Group Policy Design
This section describes the instructional methods for teaching this lesson. In this lesson, students examine the specific types of information and business requirements that are relevant to creating a Group Policy design. Security Requirements Point out that identifying security requirements typically requires performing some risk assessment and risk analysis activities. It also involves working closely with representatives from many internal departments to ensure that all security requirements are identified. Emphasize that you need to know what your organizations administrative requirements are before you can design for Group Policy. Another key item you must determine is whether the IT environment in the organization is highly managed or minimally managed. Explain that Group Policy is very useful for deploying software. However, before you can design a plan for Group Policy software deployment, you need to determine the type of software that will be deployed, who or which department the software will reach, and the method in which the deployment will take place (pushed to the desktop, user initiated, and so on). Emphasize that cost is always a major factor in business decisions, including network infrastructure decisions. As a general rule, when possible, take advantage of the existing network. Ask students what administrative model is used by the organizations in which they work. Is it centralized, decentralized, or a combination of both? Emphasize the need to get input from all stakeholders before designing for Group Policy. Also mention that when gathering data for any type of design, sometimes one of the most challenging tasks is determining which of the data is relevant to the design decisions that must be made. There is no practice for this lesson.
Administrative Requirements
Software Deployment Requirements
Current Network Infrastructure Current Administrative Model Guidelines for Gathering Data for Group Policy Design Practice
Lesson: Designing a Group Policy Structure
This section describes the instructional methods for teaching this lesson. This lesson provides students with the tools they need to create a simple and well-designed Group Policy structure. Principles of Successful Group Policy Design Call attention to two of the most important principles listed: creating a simple GPO design with as few GPOs as possible and, even more critical, the importance of testing your design for Group Policy before deploying it to the entire organization. This material might be a review for some students; nonetheless, its vital that students understand the prerequisites for using Group Policy (Active Directory and DNS), the related IT department considerations (security and delegation), and the implications Group Policy can have on the performance of servers and clients.
Design Considerations for Group Policy Settings
Module 5: Designing for Group Policy
Guidelines for GPO Inheritance
Emphasize that when multiple GPOs are applied, and the GPO settings conflict, the settings contained in the last GPO applied takes precedence. Because Group Policy is applied in a sequential write to RAM, the phrase he who writes last writes best is one way to help students remember this concept. Highlight the key concept that for simplified administration GPOs should be linked as high in the tree as possible. When discussing Linking GPOs to the OU structure, point out that typically GPOs are linked to OUs, because this provides the most flexibility and manageability for network administrators.
Guidelines for Placement of GPOs
Guidelines for Designing a Group Policy Structure
When discussing Strategies, explain that because all organizations are unique and have differing business requirements, there is no one right way to design a GPO structure. However, there are several recommended strategies that can be used depending on the administrative model used by the company. Review the strategies presented in the table. Consider asking students which of the listed strategies might work best at their organization. There is no practice for this lesson.
Practice
Lesson: Creating an Organizational Unit Structure for Group Policy
This section describes the instructional methods for teaching this lesson. In this lesson, students learn how to create an organizational unit (OU) structure for Group Policy. The lesson describes how Group Policy influences OU design, how to align Group Policy requirements with other OU requirements, and how to apply best practices for optimizing the application of Group Policy. How Group Policy Influences OU Design Emphasize that because the built-in Users and Computers containers are not OUs, you cant use Group Policy to apply security settings (and other GPO settings) to new user and computer accounts that are automatically placed in these containers. But if you create new OUs and use the redirusr.exe and redircmp.exe commands to make the new OUs the default containers for newly created user and computer accounts, then you can ensure that Group Policy security settings apply to new users and computers, even before they are moved to their appropriate locations in Active Directory. Highlight the key point in this topic: an organizations OU structure should be based on its network administration structure. This is because the OU structures role is primarily to simplify and facilitate network administration. Point out that filtering GPOs should be avoided whenever possible. Instead, design a GPO structure that meets administrators and users requirements without the need for filtering. In this practice, students modify the OU structure to support Northwind Traders Group Policy requirements. (Consider having students perform this practice in small teams.) Have students draw their designs on a whiteboard or flip chart. Its okay for students to have different answers as long as they can justify their designs. Having dissimilar design solutions can promote class discussion and expose students to different points of view.
Alignment with Administrative Structure Design Guidelines for Creating an OU Structure for Group Policy Practice
vi
Module 5: Designing for Group Policy
Lesson: Creating a Design for Managing Group Policy
This section describes the instructional methods for teaching this lesson. In this lesson, students learn how to create a Group Policy management design. After explaining what is required for effective Group Policy management, the lesson describes the strategies for designing an administrative model for Group Policy and the strategies for designing a change and management model for Group Policy. Requirements for Group Policy Management Strategies for Designing an Administrative Model Strategies for Designing a Change and Management Model Guidelines for Creating a Group Policy Management Design Discussion Mention that although it requires an Enterprise Admin to link a GPO to a site, Domain Admins can edit a site-level GPO. This possibility means you need to carefully consider who has administrative privileges in the domain. Mention that restricting administrators to the specific GPOs that they are authorized to change is another example of the principle of least privilege. This practice prevents accidental or malicious modification of GPOs. Emphasize that its important to have a strategy in place (preferably a written administrative policy) that specifies the process in which change requests will be initiated and handled. Point out that security is a critical factor driving many business designs today, including Group Policy management designs. Emphasize again that testing GPOs before theyre implemented is vital. Different organizations have different strategies for managing Group Policy. Have students share their own experiences in this area.
Lab A: Designing a Group Policy Structure
In this lab, students gather information to create a Group Policy design for Tailspin Toys that addresses the needs of the company for software deployment, delegation of administration, and desktop configuration settings. After completing this lab, students will be able to:
! !
Design a method of assigning and filtering Group Policy objects. Design a corporate policy for assigning Group Policy to organizational units. Align Group Policy requirements for Active Directory design with other design requirements.
Note To prevent confusion, at the start of the lab, remind students that in the practices they have been working with Northwind Traders, but in the labs they are working with Tailspin Toys.
Module 5: Designing for Group Policy
vii
To begin the lab, open Microsoft Internet Explorer and then, on the Web page that appears, click the link for this lab. Play the video interview for students, and then instruct students to begin the lab with their lab teams. Note that:
!
The e-mail message from Peter Houston presents specific information on a software deployment project for the Kobe location. The key points are: There are some older computers at this location that do not have the 256 megabytes (MB) of RAM required by the application. If the application is installed on a computer that has insufficient RAM, it can lock up the computer and require a manual reinstallation of the operating system.
The e-mail message from Tad Orman provides the specific Group Policy design tasks that must be accomplished in this lab.
Give students approximately 20 to 25 minutes to complete their designs. Then spend approximately 15 to 20 minutes discussing the students designs as a class. Student answers will vary because there are several possible Group Policy designs and no single correct solution. After the teams develop their designs, ask one person from each team to present their Group Policy design to the rest of the class. General lab suggestions For general lab suggestions, see the Instructor Notes for the Module 1 lab, Preparing to Design an Active Directory Infrastructure. Those notes contain detailed suggestions for facilitating the lab environment in this course.
Customization Information
This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module is dependent on the classroom configuration specified in the Customization Information section at the end of the Automated Classroom Setup Guide for Course 2282A, Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure. Important Although no computer configuration changes occur on student computers during the labs, the information gathered and many of the solutions produced in a lab carry forward to subsequent labs in the course. Therefore, if this course is customized and all of the modules are not used, or they are presented in a different order, when the instructor begins a lab the instructor might need to provide students with a possible answer from the previous lab(s) to use as a starting point for the current lab.
Module 5: Designing for Group Policy
Overview
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this information about your current infrastructure and then use that information to design a Group Policy structure. Next, you will learn how to integrate this structure into an organizational unit (OU) design. You will learn the role of Group Policy in the Microsoft Active Directory directory service infrastructure and the criteria used for choosing particular implementations. These criteria include considerations for security, software deployment, and administrative requirements. Finally, you will learn how to create a design for managing Group Policy. After completing this module, you will be able to:
! ! ! !
Objectives
Determine the information needed to design for Group Policy. Design a Group Policy structure. Create an OU structure for Group Policy. Create a Group Policy management design.
Module 5: Designing for Group Policy
Lesson: Gathering Data for Group Policy Design
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Gathering the appropriate data is an essential step in creating a Group Policy design. In this lesson, you will examine the specific information and business requirements that pertain to design decisions. After completing this lesson, you will be able to:
! ! !
Lesson objectives
Explain how security requirements influence Group Policy design. Explain how administrative requirements influence Group Policy design. Explain how software deployment requirements influence Group Policy design. Explain how the current network infrastructure influences Group Policy design. Explain how the current administrative model influences Group Policy design. Distinguish the relevant information needed to design for Group Policy.
Module 5: Designing for Group Policy
Security Requirements
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction You can use Group Policy to define security configurations for groups of users and computers. Understanding the aspects of user accounts, computers, and applications that you need to secure with Group Policy will help you create an efficient and secure design. As you plan your design, you need to work closely with security administrators and current security groups in your organization to identify security requirements, including the consequences of a security breach. The data that you need to gather includes:
!
Identify security requirements
Existing security policies. Identify existing corporate security policies. Determine if security is centralized or managed separately at branch offices. Appropriate level of user security. Membership in the Users group offers the most protection from external threats, such as viruses, and limits the damage that a user can cause to their computers. However, user level permissions have the most incompatibility problems with older applications. Interoperability requirements. Are there other operating systems in the network infrastructure? A network environment that includes Microsoft Windows NT 4.0 servers or servers that use other operating systems could affect the security settings that you would be able to use in a sole Microsoft Windows Server 2003 environment. Level of support for computers. Determine if there are any other specific security requirements for server and client computers. In addition, users with portable computers who provide their own support might need administrative rights. Developers and other high-performance users might also need administrative rights.
Module 5: Designing for Group Policy
Identify potential security threats
Your organizations data is subject to various types of risks, including user errors and malicious attacks. You need to identify potential internal and external security threats, as well as the consequences of a security breach. To determine security requirements, collect the following types of information:
!
Potential internal security threats. Internal threats include accidental damage that your users might cause to their desktops, as well as intentionally malicious actions. Potential external security threats. External threats include viruses, attackers, and disgruntled former employees.
Identify how to apply Group Policy security
You need to understand the aspects of users account, computers, and applications that you need to secure using Group Policy. Gather the following information about user accounts and computer accounts:
!
Current Group Policy information. Answer the following questions to determine if any Group Policy settings are currently enabled: Is there an account lockout policy? How many incorrect logon attempts will lock out an account? Will the account be manually unlocked or automatically unlocked after a specified duration of time?
Password and account policies. Identify requirements for password length and complexity, the number of unique passwords the user must enter before reusing a previous password, and the frequency with which the user must change (or not change) their password. User access. Identify the logon hours of personnel groups, the groups to which logon hours are assigned, the hours during which groups are permitted to log on, and whether to force logoff when logon hours expire. You will also want to identify users job titles, their corresponding permissions levels, and the administrative responsibilities of each job title.
Application settings. Identify the applications that the organization uses, user files and folders, and the location of data. How will Group Policy affect application settings? Which applications will need to have specific settings applied by using Group Policy?
Module 5: Designing for Group Policy
Administrative Requirements
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction An effective Group Policy plan accommodates the needs of an organization and the organizations administration model. You can use filtering to refine the application of Group Policy to particular groups of users and computers within a given container. You can also block inheritance to prevent Group Policy from being applied to particular subsets of users and computers. In addition, with Active Directory, you can control access to information within the directory service. By designing the Active Directory hierarchy and then managing permissions on directory objects and properties, you can specify which accounts can access the directory and the level of permissions they will have. Gathering administrative information To gather administrative requirements for creating Group Policy objects, collect the following information:
!
Current network administrative groups. Identify the parties responsible for administration and their specific responsibilities. For example, if you identify a Dynamic Host Configuration Protocol (DHCP) administrative group, confirm that they are responsible for Internet Protocol (IP) addressing, DHCP conflicts, and DHCP services on the servers. Other administrative roles. Gather information about other current IT roles, such as the various administrative duties divided among administrator groups. User requirements. Identify the administrative requirements of different groups of users. For example, users in the sales department might have additional security requirements due to the sensitivity of the data on their computers. Branch office requirements. Additional administrative requirements for branch offices will affect the Group Policy design. You might make a general Group Policy at the domain level that covers domain-wide administrative requirement settings and then create a specific Group Policy object at the OU level to configure administrative settings for that OU.
Module 5: Designing for Group Policy
!
Level of required network administration. Because network administration can be delegated, you can use different types of IT management in different areas of the organization. The two types of IT management environments are as follows: Highly managed. In highly managed environments, the administrators of the domain or OU use Group Policy to configure user and computer environments. Such Group Policy settings might include software distribution and maintenance; desktop security; offline folders management; and logon, logoff, startup, and shutdown scripts. Minimally managed. Environments that do not require a great deal of management, to varying degrees, perform their own troubleshooting, install their own software, and might even replace their own hardware. Administrators in this type of environment use Group Policy sparingly.
Module 5: Designing for Group Policy
Software Deployment Requirements
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Administrators can use Group Policy to send, or push, software to a computer or user with minimum effort. This process of deploying software is especially useful in highly managed environments where the IT department is responsible for distributing and managing all applications in the enterprise. Group Policy also helps in the enforcement of legal compliance of computers and users by allowing the network administrator to restrict the distribution of applications for which there is a limited number of licenses. Gathering software deployment requirements To design Group Policy to manage and support software deployment, consider the software deployment requirements of your organization. Gather the following types of information:
!
The software that will be deployed, such as updates, applications, and security patches Who or what the deployment will reach, such as remote users, networked desktops, wireless users, servers How software applications will be deployed. For example: Will it be advertised or pushed to the desktop? Will the user initiate installation or will installation occur automatically?
After analyzing the software deployment requirements of your organization, you can determine whether to manage software deployment with Group Policy or another method, such as Microsoft Systems Management Server (SMS). Additional reading For more information about managing software distribution using Group Policy, see Deploying a Managed Software Environment under Additional Reading on the Web page on the Student Materials compact disc.
Module 5: Designing for Group Policy
Current Network Infrastructure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction An overriding design goal is to find the lowest cost solution that meets all of the business requirements of the organization. To achieve this goal, you should take advantage of the existing IT investment wherever possible. To do this, you must catalog the existing components of the physical network and document whether or not these components can support the demands of Active Directory. These components include the cable plant, domain controllers, servers, and client workstations. An optimum Active Directory and Group Policy solution might require upgrades to the existing physical network to achieve the stated business goals. In this case, you must be prepared to justify the necessary expense of the upgrades with the cost-saving (or revenue-enhancing) benefits these upgrades will provide. Gathering current network infrastructure information Before you add to or modify your network infrastructure to support Active Directory and Group Policy, gather and analyze data about your current network infrastructure, including:
! !
Network diagrams showing physical locations of network components. Connection points, such as wide area networks (WAN), local area networks (LAN), and remote access. Areas of administrative responsibility, such as virtual private network (VPN) administrators, LAN administrators, and DNS administrators. Change and configuration management technologies, such as a version control system like Virtual Source Safe, as well as change and configuration management policies for your network. Whether your current infrastructure uses Domain Name System (DNS), which is necessary to accommodate an Active Directory installation. Whether Internet Control Message Protocol (ICMP) is enabled on your network. If ICMP is disabled in your network environment, destination computers will not be able to ping domain controllers, and the application of Group Policy will fail.
Module 5: Designing for Group Policy
Current Administrative Model
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In order to effectively design for Group Policy, you must first consider your organizations administrative model. Determining this model is the starting point for designing an effective OU structure, which is the key to successful Group Policy design. To gain a comprehensive understanding of your organizations administrative model, gather relevant information about your organization. Use the information you gather to determine:
!
Gathering administrative model information
The current administrative model of the enterprise. Identify whether your organizations administrative model is centralizedadministered from the main officeor decentralizedbranch offices administer their own environment. Because organizations frequently use a combination of these models, Group Policy designs also often include both models. How IT decisions are made. Determine if any of the administrative units require autonomy from any others in the organization. This business requirement defines whether the specific administrative units are under the administrative control of any superior administrative unit. The pertinent question to ask when you make this determination is, Can this administrative group allow higher-level administrative groups to access its managed resources, or must it have exclusive control?
! !
How often administrators update Group Policy. Which administrators can create, edit, and link GPOs. You must determine how many administrators can create, edit, and link Group Policy objects (GPOs). You can use this information to help you determine your strategy for delegation of control of GPOs.
10
Module 5: Designing for Group Policy
Guidelines for Gathering Data for Group Policy Design
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When gathering data for a Group Policy design, gather the following information:
!
Interview stakeholders, such as IT personnel, management, security groups, business analysts, and users. Determine which information is relevant to your design. Develop a database; for example, use a spreadsheet program to track all design data. Determine who can access the design data.
! !
Module 5: Designing for Group Policy
11
Lesson: Designing a Group Policy Structure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction You use Group Policy to define configurations for groups of users and computers in the organization. When designing a Group Policy structure, your primary objective is to base the design on your organizations business requirements. After completing this lesson, students will be able to:
! ! !
Lesson objectives
Describe the principles of successful Group Policy design. Describe the considerations for designing Group Policy settings. Compare choices about placing and combining Group Policy objects (GPOs).
12
Module 5: Designing for Group Policy
Principles of Successful Group Policy Design
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Design principles Follow these design principles for an effective Group Policy structure:
!
Define your organizations Group Policy objectives. If your Group Policy design is to be successful, it must be based on your organizations specific business requirements. Use these requirements to determine appropriate Group Policy settings and configuration options. Create a simple Group Policy design. A GPO design with minimal GPOs simplifies administration. It takes less time for an administrator to determine the effective policy settings when two GPOs are assigned to an OU than when 16 GPOs are assigned to an OU. In addition, whenever possible, minimize the number of GPOs that are applied to a user or computer. It is better to include many policy settings in a single GPO than to create several GPOs, because a single, larger GPO processes faster than multiple, smaller GPOs.
Design an OU structure that supports Group Policy. Because most GPOs are applied at the OU level, ensure that your organizations OU structure supports and simplifies the application of Group Policy. Filtering is used to exempt objects from Group Policy. A filter will affect all of the settings stored in a GPO. You cannot filter certain settings from the GPO to apply or not apply to a group. If you must use groups within an OU to achieve the desired filtering result, consider creating another OU instead.
Module 5: Designing for Group Policy
!
13
Include network and administrative requirements. Identify and incorporate the following network and administrative requirements into your design: Consider the network traffic load that your GPO design creates. For example, if users log on over slow WAN links and the GPO design consists of several large GPOs, the network traffic will increase and it might take substantially longer for the user to log on. Identify interoperability issues, including client computer operating systems, when designing for Group Policy. Group Policy is only supported by computers running Windows Server 2003, Microsoft Windows 2000, and Windows XP Professional. Service-level agreements often specify the maximum amount of response time allowed for a task to complete, such as computer startup and logon. To reduce the amount of time needed to process a GPO, consider disabling any portion of the GPO that does not apply, or combining smaller GPOs into a single, larger GPO. Identify software installation issues. Determine whether Group Policy is the best solution for your organizations software deployment needs.
Design for the ongoing administration of Group Policy. Policies should include: Testing Group Policy before it is deployed. Repeated testing is vital to a successful Group Policy deployment. You can use the Group Policy Modeling Wizard component of the Group Policy Management Console (GPMC) to determine how a new GPO will interoperate with existing GPOs. Your GPO testing process should include every aspect of the real deployment, and should be performed in a test environment based on your production environment. Using GPMC to back up GPOs on a regular basis. Using GPMC to manage Group Policy throughout the organization. Prohibiting modification of the default domain policy or the default domain controller policy unless absolutely necessary. Specifying a meaningful naming convention for GPOs. Designating only one administrator per GPO. Document the GPO design. The document should include the organizations business needs, the Group Policy settings that support those needs, the number of Group Policy settings required, and the locations where the GPOs are applied, so that you can track future changes to the GPO design.
.
Additional reading
For more information about how the physical network affects GPO processing, see Designing a Group Policy Infrastructure under Additional Reading on the Web page on the Student Materials compact disc.
14
Module 5: Designing for Group Policy
Design Considerations for Group Policy Settings
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Design considerations When you design for Group Policy, you identify your organizations specific business requirements and determine how Group Policy can help achieve those requirements. You can then identify the most appropriate Group Policy settings and configuration options to meet your requirements. Before designing specific Group Policy settings, consider the following:
!
Active Directory. Ensure that the OU design for all domains in the forest supports the application of Group Policy. Domain Name System. (DNS) Because Group Policy works with fully qualified domain names, you must have DNS running in your forest to correctly process Group Policy. You cannot use network basic input/output system (NetBIOS) only. User requirements. Group Policy settings can be based on a users job title, user location, job needs, computer experience, and corporate security requirements. Group Policy inheritance. Develop a good delegation plan that takes advantage of Group Policy inheritance. Also, specify which policy settings will be used at each level. For example, specify that the password policy will be applied at the domain level.
Module 5: Designing for Group Policy
!
15
Security. Work closely with the security administrators as you delegate responsibility for GPO administration. There are several levels of administration for GPOs. The following table lists the administrative roles for GPOs and the individuals who are assigned the task.
Administrative Role Creating GPOs Modifying GPOs Assigned to Members of GPO Creator Owner Group Users listed in GPO Access Control Lists (ACLs) that set who can administer Group Policy objects Users listed in Active Directory container ACLs that set who can link GPOs to objects in Active Directory Comments Whoever creates the Group Policy object owns it. Because user rights can be granted to specific users, it is possible to delegate very precise control over Group Policy settings. An IT group can create a standard set of GPOs that can be linked by lower level Group Policy administrators.
Linking GPOs
Network Performance. To optimize performance over a network, you can configure many Group Policy settings to run only when there is an adequate network connection. The administrator can set the speed of the link to use the available bandwidth and ensure that Group Policy settings do not consume bandwidth required by other processes and applications. By default, Group Policy considers all links of 500 kilobits per second (Kbps) or slower as slow links. Users logging on to the network from portable computers and branch locations might encounter slow links. To avoid these encounters, Group Policy settings can be set to process only when there is an adequate network connection.
Limit GPOs. To optimize the application of GPOs on client computers, limit the number of GPOs that apply to the user and computer accounts. You can accomplish this by combining the settings from multiple GPOs into a single GPO, and by disabling either the computer or user portion of a GPO. For example, disable the user portion of a GPO that only contains computer settings.
16
Module 5: Designing for Group Policy
Design Considerations for Group Policy Inheritance
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Careful planning of your Group Policy design can eliminate the need to create new GPOs for each OU in Active Directory. This is possible due to Group Policy inheritance, which applies the GPO settings that are assigned to the parent container (site, domain, or OU) to the child domain or OU. To take the fullest advantage of Group Policy inheritance, consider the following:
!
Design considerations for Group Policy inheritance
Organize OUs for Group Policy inheritance. Logically organize OUs to create a simple structure in which Group Policy settings that apply to A parent domain or OU apply to child OUs. Create a new OU for each group of users or computers that requires additional group policy settings. Consider defining a corporate-standard GPO. A corporate-standard GPO is a combination of Group Policy settings that apply to a large set of users in an organization. Corporate-standard GPOs are most often used to remove potentially harmful and nonessential functionality for users, as well as to define access permissions, security settings, and file system and registry permissions for member servers and workstations. Manage exceptions to Group Policy inheritance. Occasionally, you might need to apply specific group policy settings to an OU but will not want the settings that applied to the parent. You can use the Block Policy inheritance setting to prevent the OU from inheriting Group Policy settings from a parent container. Use the Block Policy inheritance setting sparingly, because this setting makes it difficult to troubleshoot Group Policy.
Module 5: Designing for Group Policy
!
17
Prioritize the application of GPOs. An object that has multiple GPOs linked to it will process them in order of priority. You can set the order in which GPOs are applied. For example, if a GPO that restricts access is applied to an OU containing some users that need access, you can prioritize the application of that GPO to occur after the application of another GPO that secures access to the necessary users. When several GPOs are applied on the same object, some GPOs might contradict others. Remember that the last GPO applied to an object will determine which Group Policy is applied if there are Group Policy settings that conflict with one another. Enforce GPO settings. You can enforce policy inheritance by setting the Enforced (No Override) option on a Group Policy object link. If the GPO of the parent container has the Enforced (No Override) option set, the Block Policy inheritance setting will have no effect. Use the Enforced (No Override) option sparingly. Note If you are using Active Directory Users and Computers to manage Group Policy, the setting is called No Override. If you use GPMC, the setting is called Enforced.
Enable loopback processing. When you apply Group Policy objects to users, normally the same set of user policy settings applies to those users when they log on to any computer. By enabling loopback processing for a GPO, you can configure user policy settings based on the computer that they log on to. Those settings are applied regardless of which user logs on. When you use this option, you must ensure that both the computer and user portions of the GPO are enabled.
Important Use loopback processing, Block Policy inheritance, and the Enforced (No Override) settings sparingly, because these settings make the troubleshooting of GPOs difficult and time-consuming.
18
Module 5: Designing for Group Policy
Guidelines for the Placement of GPOs
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In an Active Directory environment, you assign Group Policy settings by linking GPOs to sites, domains, or OUs. Most GPOs are assigned at the OU level. You can add one or more GPO links to each site, domain, or OU by using GPMC. Some Group Policy settings, such as password policies, only take effect if applied at the domain level. Very few policy settings are applied at the site level. If you have a number of policy settings to apply to computers in a particular physical location onlycertain network or proxy configuration settings, for exampleit might be appropriate to include these settings in a site-based policy. Because domains and sites are independent, computers in the same site can be in separate domains. In this case, make sure there is good connectivity. However, if the settings do not clearly correspond to computers in a single site, assign the GPO to the domain or OU structure rather than to the site. Linking GPOs to the domain Link GPOs to the domain if you want them to apply to all users and computers in the domain. For example, security administrators often implement domainbased GPOs to enforce corporate standards. They can create these GPOs with the Enforced option enabled to guarantee that no other administrator can override these settings. Note If you need to modify some of the settings contained in the Default Domain Controller Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforced (No Override) option. In general, do not modify the settings in the Default Domain Controller Policy GPO. If you modify the Default Domain Controller Policy GPO, make backups by using GPMC to ensure you can restore them.
Linking GPOs to the site
Module 5: Designing for Group Policy
19
Linking GPOs to the OU structure
Most GPOs are normally linked to the OU structure, because this provides the most flexibility and manageability by allowing you to:
! ! !
Move users and computers into and out of OUs. Rearrange OUs. Work with smaller groups of users who have common administrative requirements. Organize users and computers based on their administrators.
Organizing GPOs into user- and computer-oriented GPOs can help make your Group Policy environment easier to understand and can simplify troubleshooting. However, separating the user and computer components into separate GPOs might require more GPOs. You can compensate for this by disabling the user or computer configuration portions of the GPO to reduce the time required to apply a given GPO. Guidelines Use the following strategies to decide where to place GPOs and link them:
!
Link GPOs that contain settings that apply to all users as high in the tree as possible. Link GPOs that contain specific settings that apply only to a specific group of users or computers to the OU that contains those users or computers. Link GPOs that contain settings that apply to several groups of users or computers, but not to all users or computers, to the parent OU of the OUs that contain the users or computers. Use the Group Policy Modeling Wizard in GPMC to verify that the GPO settings you have designed will be applied appropriately.
20
Module 5: Designing for Group Policy
Guidelines for Designing a Group Policy Structure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines Keep in mind the following considerations and guidelines when designing a group policy structure.
!
Determine the following information about GPOs: Where will the GPOs be linked? What security filtering will you use for the GPOs? Which policy settings must always be enforced for particular groups of users or computers?
Decide the policy settings that are applicable to the entire organization and consider linking these to the domain. Classify the types of computers and the roles or job functions of users in your organization, and then create GPOs to configure the environment for each as needed. Specify the use of a staging environment to test your Group Policy-based management strategy before deploying GPOs into your production environment. Test the results of GPOs in a wide variety of situations. Many medium and large organizations create a miniature version of the production environment to use for testing. If you are in a small organization without the resources to create a staging environment, it is recommended that you implement Group Policy in the production environment at off-peak times, and have a solid regression strategy in place to rectify any unwanted results. Strategies for testing include: Logging on as representative users at representative workstations to verify that the expected Group Policy settings are applied and that inheritance conflicts do not occur.
Module 5: Designing for Group Policy
21
Testing mobile users by logging on in all possible variations to ensure that Group Policy settings are applied consistently in all situations. Testing portable computers by connecting them to the network from various sites where users are likely to log on. Strategies The following table describes recommended strategies for designing a GPO structure.
Strategy Plan a separate GPO for each type of Group Policy setting. Administrative model Use when multiple administrators are responsible for different areas of administration. For example, create a GPO for software installation and maintenance and another GPO for security if each area is administered by a different user. Use when users and computers are administered by different administrators, or when users and computers are stored in different OUs. Use when an administrator is responsible for the deployment and maintenance of a single application. For example, create a GPO containing software installation and maintenance settings and registry-based Group Policy settings for Microsoft Office XP. Use when an administrator needs to manage all user environment-related settings. For example, create a GPO containing folder redirection settings and registry-based Group Policy settings for User Configuration.
Plan a separate GPO for user configuration and computer configuration. Plan GPOs for individual applications.
Plan GPOs for user environment management.
22
Module 5: Designing for Group Policy
Lesson: Creating an Organizational Unit Structure for Group Policy
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Before you begin designing the organizational unit (OU) structure, it is important that you understand the characteristics of OUs and how Group Policy influences your OU design. That understanding, together with the administrative model used by your organization, will help you to determine the OU structure. After completing this lesson, students will be able to:
! ! ! !
Lesson objectives
Describe how Group Policy influences OU design. Align Group Policy requirements with OU requirements. Apply best practices for optimizing the application of Group Policy. Design an OU structure for Group Policy.
Module 5: Designing for Group Policy
23
How Group Policy Influences OU Design
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Your OU structure should support your Group Policy-based client management strategy. A well-designed OU structure that reflects the administrative structure of your organization and takes advantage of GPO inheritance will simplify the application of Group Policy. For example, a well-designed OU structure can prevent the need to duplicate certain policies that need to be applied to different parts of the organization, as well as prevent the need to link the same GPO to multiple Active Directory containers to achieve a specific objective. If possible, create OUs to:
! !
Enable delegation of administration. Scope the application of GPOs.
Design recommendations
The following OU design recommendations will help you design an OU structure that can support delegation of authority and implementation of Group Policy:
!
Delegate administrative authority. Create OUs within a domain and delegate administrative control for specific OUs to a particular group or groups. Create OUs to replace Users and Computers containers. By default, new user and computer accounts that are created without specifying a location are placed in the Users and Computers containers. You cannot link GPOs to the Users and Computers containers because these containers are not OUs. Consider creating OUs to replace these containers, and then use the redirusr.exe and the redircmp.exe commands to make the new OUs the default containers for newly created user and computer accounts. Accounts that are created without specifying a location will be placed in the new default containers; you can then create GPOs and link them to these OUs to manage these accounts. You can also enforce security policies on these new accounts before they are moved to their appropriate location in Active Directory.
24
Module 5: Designing for Group Policy
!
Organize computers and users. When you start designing an OU structure, consider the types of objects you want to manage by using Group Policy. Consider the following structures for your design: Organize users and computers by function. Depending on your administrative model, consider function-based OUs for users, client computers, and servers. For example, an organization such as a consulting agency might have a cross-departmental team that is dedicated to supporting a particular customer. Such a company could benefit from a function-based design. A function-based hierarchy considers only the business functions of the organization, without regard to geographical, departmental, or divisional barriers. Choose this approach only if the IT function is not based on location or organization. Organize users and computers by location. Depending on your administrative model, consider geographically-based OUs. Duplicate the structure for each location to avoid replicating across different sites. Add OUs below these only if doing so makes the application of Group Policy clearer, or if you need to delegate administration below these levels. By using a structure in which OUs contain homogeneous objects, such as either user or computer objects but not both, you can easily disable those sections of a GPO that do not apply to a particular type of object. By using this approach to OU design, you can reduce complexity and improve the speed at which Group Policy is applied. Keep in mind that GPOs linked to the higher layers of the OU structure are inherited by default, which reduces the need to duplicate GPOs or to link a GPO to multiple containers.
Additional reading
For more information about how an OU structure influences a Group Policy design, see Designing a Group Policy Infrastructure under Additional Reading on the Web page on the Student Materials compact disc.
Module 5: Designing for Group Policy
25
Alignment with Administrative Structure Design
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Plan your OU structure around your network administration model. A welldesigned OU structure of upper- and lower-level OUs will allow administrators to delegate authority and apply Group Policy. Your OU structure should also accommodate future reorganizations so that minimum object movement will be required. Do not try to copy the organizational chart when you design the OU structure using political divisions will not necessarily make administration easier. Also, you do not need to organize the OU hierarchy for ease-of-client access. Instead, create a hierarchy that mirrors the administrative and security needs of the business. Use names in the hierarchy that are meaningful to the administrative staff. You should also keep the design simple to minimize the need for constant management. When designing upper-level OUs, remember the following:
!
Upper levels of OUs
Base first level OUs on a static aspect of the organization. This will help prevent the need to restructure your first level OUs due to company reorganization. For example, you might choose to have different OUs for separate countries to allow for differences in administrative policies; geography is much less likely to change than divisions of an organization. Consider making first-level OUs an organization-wide standard. Although OU structures can be unique to each domain, consider having a standard first level in the OU structure to provide consistent organization-wide support. For example, you could create first-level OUs for groups, printers, and applications within each domain. OUs do not have replication or costs. This first-level structure will keep administration for the domains consistent throughout the forest.
26
Module 5: Designing for Group Policy
Lower levels of OUs
Lower-level OUs should represent more detailed levels of administrative authority within your organization. Create lower-level OUs to delegate authority over objects to specific groups of users and to accommodate Group Policy needs. For example, you could create an OU to include users who need a certain application, and then create a Group Policy for that particular OU. You can design a hierarchical OU structure in which new lower-level OUs are created, or nested, within existing OUs. This will prevent readjustment of your administration model, and is similar to the nesting that can be done with groups.
!
Planning lower-level OUs. When planning lower-level OUs, consider the following: OUs can be administrated independently; however, when you create an OU within an existing OU, by default it inherits the properties of the OU in which it is created. Only nest OUs as needed to provide a clear and accurate representation of the organizations administrative model. OUs nested too deeply can be more confusing than beneficial. An OU nested within another OU might have multiple levels of Group Policy to be applied. Keep in mind that the processing time depends upon the number of policies that need to be applied, as well as the size of those policies. An OU cannot contain objects from another domain.
Incorporating future expansions
Incorporate plans for future administrative tasks of Group Policy into your design. For example, if you expect your organization to grow by 10 percent in the next year, be sure your design is flexible enough to accommodate change.
Module 5: Designing for Group Policy
27
Guidelines for Creating an OU Structure for Group Policy
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When designing an organizational unit (OU) structure for Group Policy, use the following guidelines, and be sure to document each decision:
!
Choose stable upper-level OU names. Choose the upper-level OU design strategy based on a stable aspect of the organization, such as location. When naming OUs, remember that users do not see the organizational unit structure, so choose names that are meaningful to administrators. Assign control at the highest OU level. Take advantage of inheritance whenever possible. If you assign control at the highest OU level possible rather than on individual objects, managing permissions will be much easier and more efficient. In addition, there is less potential for damage if an administrator makes a mistake while logged on with an administrative account. Create an OU design that requires the fewest GPOs. The more GPOs you have associated with any object, the longer it will take for users to log on to the network. Create lower-level OUs based on the need for GPOs. Avoid filters. Create additional OUs to avoid the need to use filters to exempt a group in an OU from a GPO, thereby isolating the users or computers that require certain policy settings.
28
Module 5: Designing for Group Policy
Practice: Modifying an Organizational Unit Structure for Group Policy
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Scenario In this practice, you will modify the organizational unit structure that supports Northwind Traders Group Policy requirements. Northwind Traders is progressing with its Active Directory design project. The company has already decided on an organizational unit structure, as illustrated on the slide. The following table shows the geographical locations, the departments residing in each location, and the specific Group Policy requirements for each location.
Location Paris, France Departments represented HQ Management staff Finance Sales Marketing Production Research Development Information Technology (IT) Los Angeles, CA, United States Sales Marketing Finance IT Group Policy requirements Due to the confidential nature of their work, all executives require that their laptop computers have specific security settings. However, they do not want these security settings be applied to their desktop computes. All servers in the Finance department must use IPSec for all communications. All personnel in the Sales department must have a customer tracking application installed on their computers. All laptop computers in this location must have a password protected screen saver configured on them.
Module 5: Designing for Group Policy (continued) Location Atlanta, GA, United States Departments represented Customer Service Customer Support Training Group Policy requirements
29
All personnel in the Customer Support department who work in the call center have specific applications that must be installed on their computers. All computers, even new computers that have just joined the domain, require an IPSec policy applied. All computers in the Research department require specific security settings. All computers in the Production department are used by multiple people on different shifts. These computers require specific desktop and user interface settings for users that log on to these computers.
Glasgow, Scotland
Research Development Sustained Engineering IT
Sydney, Australia
Consulting Production Sales Finance
Practice
Based on the scenario, modify the OU structure to support Northwind Traders Group Policy requirements by answering the following questions. Discuss your results as a class. 1. Which additional OUs must be created to support Group Policy? Creating OUs is only one possible way to filter the application of Group Policy. You can also use other methods, such as security groups, to accomplish the same goal. Create a new OU in the HQ Management OU named Laptops. This OU will contain all of the computer accounts for the executives laptop computers. Create a new OU named LaptopComputers in the NAwest domain to simplify the application of Group Policy settings to all laptop computers in this location. Create a new OU named CallCenter in the CustomerSupport OU. This OU will contain all of the computer accounts for the computers in the call center, which will enable you to easily apply specific group policy settings to these computers. Create a new OU in the Glasgow domain named ComputerAccounts, and use the redircmp.exe command to cause all newly created computer accounts to be redirected to the new OU. 2. Who will be responsible for managing Group Policy in each domain? The IT group in Paris will manage all Group Policy settings in Paris, Atlanta, and Sydney. The local IT staff will manage Group Policy settings in all other locations.
30
Module 5: Designing for Group Policy
Lesson: Creating a Design for Managing Group Policy
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction Consider your organizations needs and resources when creating a design for managing your GPOs. Clearly outline the procedures for proposing and applying Group Policy settings, and for evaluating, testing, deploying, and establishing a rollback plan. After completing this lesson, students will be able to:
! !
Lesson objectives
Describe what is required for effective Group Policy management. Describe the strategies for designing an administrative model for group policies. Describe the strategies for designing a change and management model. Create a Group Policy management design.
! !
Module 5: Designing for Group Policy
31
Requirements for Group Policy Management
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction An important aspect of designing Group Policy is to determine who manages these policy settings. In addition, it is important to understand the requirements for using these policy settings, including permissions and operating system requirements. You must have the following permissions to link Group Policy objects:
! ! !
Permissions
Enterprise administrative permissions to link site-level GPOs Domain administrative permissions to link domain-level GPOs Permissions for the objects to link OU-level GPOs
Important Although enterprise administrative permissions are required to link a site-level GPO, only domain administrative permissions are required to edit a site-level GPO. For this reason, you need to carefully consider the membership of the Enterprise Admins and Domain Admins groups. Client operating system To successfully use Group Policy to manage client computers requires that the client computers operating system support Group Policy. The following list describes the level of support for Group Policy in each version of Windows:
!
Versions of Windows earlier than Windows 2000, such as Windows NT 4.0, Windows 98, and Windows 95, do not support Group Policy management. Manage these computers by using System Policy. Windows 2000 was the first operating system to support the use of Group Policy. It supports many of the Group Policy settings available in Windows Server 2003 GPOs, but not all of them. You can use the extended view in GPMC to determine which settings are supported by which operating systems. Settings that are not supported by Windows 2000 are ignored on Windows 2000 computers. Windows XP and Windows Server 2003 both include full support for Group Policy.
32
Module 5: Designing for Group Policy
Strategies for Designing an Administrative Model
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction When you assess the needs of your organization, one of the most important decisions is determining whether administrative control of Group Policy should be centralized or distributed. In organizations that use a centralized administration model, an IT group provides services, makes decisions, and sets standards for the entire company. In organizations that use a distributed administration model, each business unit manages its own IT group. Based on your organizations administrative model, you need to determine which aspects of configuration management to handle at the site, domain, and OU levels. You also need to determine how to divide responsibilities among the administrators or administrative groups at each site, domain, and OU level. Strategies Use the following strategies when designing the administrative model for group policies:
!
Determine the amount of training required for administrators to properly manage GPOs. Determine how responsibilities at each site, domain, and organizational unit level might be further subdivided among the available administrators or administrative groups at each level. Assess the readiness of other administrators to assume delegated roles for administering Group Policy by addressing their familiarity with the following: Procedures for working with GPOs, such as creating GPOs and importing settings Editing and linking GPOs Setting exceptions to default inheritance of GPOs Filtering the application of GPOs
Module 5: Designing for Group Policy
33
Using Group Policy Modeling for planning and Group Policy Results for evaluating GPO applications Backing up or restoring GPOs
!
Based on your organizations administrative model, determine which aspects of desktop management can best be handled at the site, domain, and organizational unit levels. To reduce complexity and minimize the likelihood of introducing errors, consider restricting administrators to the specific GPOs that they are authorized to change.
34
Module 5: Designing for Group Policy
Strategies for Designing a Change and Management Model
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction To facilitate future management of Group Policy, you should develop operational procedures to ensure that changes to GPOs are made in an authorized and controlled manner. Ensure that all new GPOs and changes in existing GPOs are properly staged before deployment to your production environment. You should also create regular backups of your GPOs. Use the following strategies to design a change and management model for Group Policy:
!
Strategies
Establish administrative procedures to track and manage GPOs and ensure that all changes are implemented in a prescribed manner using the appropriate tools. Train administrators to identify, document, and initiate change requests for Group Policy. Provide administrators with information about: The process for making changes to Group Policy. Who will evaluate and approve the change to a Group Policy object. How the Group Policy changes will be tested prior to implementation. Establish control procedures for creating, linking, editing, and importing settings into GPOs. Document procedures for making regular backups and restores of all GPOs.
Note You can use GPMC to manage all aspects of Group Policy across an enterprise. You can download GPMC from the Microsoft Download Center.
Module 5: Designing for Group Policy
35
Guidelines for Creating a Group Policy Management Design
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Guidelines When creating a Group Policy management design, use the following guidelines:
! !
Keep the requirements of Group Policy stakeholders in mind. Consider security issues concerning who will access and manage Group Policy settings. Consider which operating systems will be managed by using each GPO, and whether those operating systems support the configuration settings used in the GPO. Determine the process for evaluating, approving, testing, and implementing Group Policy. Determine how decisions will be made when problems arise.
Additional reading
For more information on Group Policy, see Designing a Group Policy Infrastructure under Additional Reading on the Web page on the Student Materials compact disc. For more information about Active Directory OU design, see Designing the Active Directory Logical Structure under Additional Reading on the Web page on the Student Materials compact disc.
36
Module 5: Designing for Group Policy
Discussion: Creating a Group Policy Management Design
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Discussion Discuss as a class the strategies for creating a Group Policy management design. Use the following questions to guide your discussion: 1. Which group or individual in your organization is responsible for implementing the security policies for your organization? Who can request a change to the security policy? 2. What type of administrative model does your organization use for managing Group Policy? Does it work well? Would you change it if you could? 3. Do you implement a highly managed desktop environment for any group within your organization? Why? Answers may vary based on the work experience of the students who are participating in the class.
Module 5: Designing for Group Policy
37
Lab A: Designing a Group Policy Structure
*****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to:
! !
Design a method of assigning and filtering Group Policy objects. Design a corporate policy for assigning Group Policy to organizational units. Align Group Policy requirements for Active Directory design with other design requirements.
Scenario
You are a consultant who has been hired to design a Group Policy structure for Tailspin Toys. The lab uses an interactive application to convey scenario-based information. To begin this lab, open Internet Explorer, and then, on the Web page that appears, click the link for this lab. View the video, read the e-mail messages, and then, using the exercise below as a guide, complete the tasks that are assigned in the e-mail messages.
Estimated time to complete this lab: 60 minutes
Your instructor will break the class into groups to do the lab. Each group should be prepared to present their design to the class at the end of the lab.
38
Module 5: Designing for Group Policy
Exercise 1 Designing a Group Policy Structure
In this exercise, you will answer questions relating to the Group Policy design for Tailspin Toys. Use the information you have gathered in previous labs, including your forest, domain, site, and OU designs, and the new information presented in the scenario to answer the following questions. 1. How will you deploy the product planning application to the Kobe office in Japan? Answers may vary. To deploy the product planning application in Kobe, one possible answer is to create a Computers OU within the Kobe OU in the Contoso domain. Place the computer accounts for all computers in the Kobe site into the Computers OU. Create a GPO, link it to the Computers OU, and configure the GPO to install the product planning application on all computers. Then, filter the GPO by using a Microsoft Windows Management Instrumentation (WMI) filter that only allows the application to be installed on computers that have at least 256 MB of RAM. This will simplify administration, enable the application to be installed on the appropriate computers, and prevent the application from being installed on computers that will not support it. ____________________________________________________________ ____________________________________________________________ ____________________________________________________________ 2. How will you ensure that local administrators in each location can link and manage Group Policy for all users in the location that they administer? Answers may vary. To ensure that local administrators can administer Group policy for their locations, one possible answer is to ensure that each local administrator is delegated the authority to create, link and manage GPOs for the OU that contains the user accounts for users in the local administrators location. This strategy enables local administrators to manage Group Policy for their users, without giving them permissions to manage Group Policy for users in other locations. ____________________________________________________________ ____________________________________________________________ ____________________________________________________________
Module 5: Designing for Group Policy
39
3. Tailspin Toys maintains a call center in Fayetteville, Ark., that handles most of the companys customer support. They want to ensure that the desktop computers in the call center there have a specific set of applications installed and desktop settings configured, no matter who logs on to the computer. How will you accomplish this? Answers may vary. One possible answer is to create an OU named Call Center within the Fayetteville OU in the Tailspin domain. Place the computer accounts for all call center computers into the Call Center OU. Create a GPO and link it to the Call Center OU, and configure the GPO to assign the appropriate software installation and desktop settings. Then configure the GPO to use the User Group Policy loopback processing mode. The use of this OU and GPO strategy, in combination with the loopback processing mode, ensures that the settings in the GPO are applied to all users who log on to the call center computers, regardless of where their user accounts are located in Active Directory. ____________________________________________________________ ____________________________________________________________ ____________________________________________________________
THIS PAGE INTENTIONALLY LEFT BLANK
You might also like
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5814)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreFrom EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreRating: 4 out of 5 stars4/5 (1092)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (844)
- Grit: The Power of Passion and PerseveranceFrom EverandGrit: The Power of Passion and PerseveranceRating: 4 out of 5 stars4/5 (590)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceFrom EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceRating: 4 out of 5 stars4/5 (897)
- Shoe Dog: A Memoir by the Creator of NikeFrom EverandShoe Dog: A Memoir by the Creator of NikeRating: 4.5 out of 5 stars4.5/5 (540)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersFrom EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersRating: 4.5 out of 5 stars4.5/5 (348)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureFrom EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureRating: 4.5 out of 5 stars4.5/5 (474)
- Her Body and Other Parties: StoriesFrom EverandHer Body and Other Parties: StoriesRating: 4 out of 5 stars4/5 (822)
- The Emperor of All Maladies: A Biography of CancerFrom EverandThe Emperor of All Maladies: A Biography of CancerRating: 4.5 out of 5 stars4.5/5 (271)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)From EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Rating: 4.5 out of 5 stars4.5/5 (122)
- The Little Book of Hygge: Danish Secrets to Happy LivingFrom EverandThe Little Book of Hygge: Danish Secrets to Happy LivingRating: 3.5 out of 5 stars3.5/5 (401)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyFrom EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyRating: 3.5 out of 5 stars3.5/5 (2259)
- The Yellow House: A Memoir (2019 National Book Award Winner)From EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Rating: 4 out of 5 stars4/5 (98)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaFrom EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaRating: 4.5 out of 5 stars4.5/5 (266)
- Team of Rivals: The Political Genius of Abraham LincolnFrom EverandTeam of Rivals: The Political Genius of Abraham LincolnRating: 4.5 out of 5 stars4.5/5 (234)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryFrom EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryRating: 3.5 out of 5 stars3.5/5 (231)
- NSE2 Sandbox - Quiz Attempt ReviewDocument2 pagesNSE2 Sandbox - Quiz Attempt Reviewking jumper34350% (2)
- On Fire: The (Burning) Case for a Green New DealFrom EverandOn Fire: The (Burning) Case for a Green New DealRating: 4 out of 5 stars4/5 (74)
- The Unwinding: An Inner History of the New AmericaFrom EverandThe Unwinding: An Inner History of the New AmericaRating: 4 out of 5 stars4/5 (45)
- The Threat Environment: Attackers and Their AttacksDocument8 pagesThe Threat Environment: Attackers and Their AttacksbseosNo ratings yet
- Transposition CipherDocument4 pagesTransposition CipherDil Prasad Kunwar100% (1)
- Cyber Security ThesisDocument8 pagesCyber Security ThesisRokonuzzaman RonyNo ratings yet
- 2279B Mod11lb PDFDocument14 pages2279B Mod11lb PDFJosé MarquesNo ratings yet
- 2279B Mod08la PDFDocument4 pages2279B Mod08la PDFJosé MarquesNo ratings yet
- 2279B Mod03la PDFDocument4 pages2279B Mod03la PDFJosé MarquesNo ratings yet
- 2279B Mod07la PDFDocument6 pages2279B Mod07la PDFJosé MarquesNo ratings yet
- PDFDocument66 pagesPDFJosé MarquesNo ratings yet
- Galileu - Manual Managing Windows 2003 Server - Environment PDFDocument618 pagesGalileu - Manual Managing Windows 2003 Server - Environment PDFJosé MarquesNo ratings yet
- Appendix B: Implementation Plan ValuesDocument4 pagesAppendix B: Implementation Plan ValuesJosé MarquesNo ratings yet
- Module 2: Designing A Forest and Domain InfrastructureDocument72 pagesModule 2: Designing A Forest and Domain InfrastructureJosé MarquesNo ratings yet
- Vulnerabilities and Security Issues in Optical NetworksDocument4 pagesVulnerabilities and Security Issues in Optical NetworksSteven MuñozNo ratings yet
- Evaluating Critical Security Issues of The IoT World: Present and Future ChallengesDocument13 pagesEvaluating Critical Security Issues of The IoT World: Present and Future ChallengesmmmmdddNo ratings yet
- New RSA Vulnerabilities Using Lattice Reduction Methods /: ArticleDocument160 pagesNew RSA Vulnerabilities Using Lattice Reduction Methods /: ArticleminhNo ratings yet
- 1 - Intro To SecurityDocument49 pages1 - Intro To SecuritysamuelNo ratings yet
- DD - RishadDocument43 pagesDD - RishadRishad JobbsNo ratings yet
- New Ration CardDocument2 pagesNew Ration CardNGlobal ConsultantsNo ratings yet
- The Secret of DarkWebDocument18 pagesThe Secret of DarkWebFahad Hassan Sial0% (1)
- 27 XTRMDocument3 pages27 XTRMyazidlouaiNo ratings yet
- IDENTITY THEFT Is A Crime in Which An Impostor Obtains Key Pieces of Personal IdentifyingDocument3 pagesIDENTITY THEFT Is A Crime in Which An Impostor Obtains Key Pieces of Personal IdentifyingSuper RomeNo ratings yet
- One-Health Hospital Policy ManualDocument104 pagesOne-Health Hospital Policy ManualcarelinkvietnamNo ratings yet
- Using Active Directories With ARDBC LdapDocument20 pagesUsing Active Directories With ARDBC LdapkkuppachiNo ratings yet
- ISO Focus N° 131 enDocument27 pagesISO Focus N° 131 enAfonso Sérgio De Sant'Anna GomesNo ratings yet
- Win32/Alman: Home Threat Encyclopaedia Glossary Statistics Update Info Tools Reports Threat Radar Report, February 2014Document2 pagesWin32/Alman: Home Threat Encyclopaedia Glossary Statistics Update Info Tools Reports Threat Radar Report, February 2014cheppykvNo ratings yet
- 3972 L16 Pxgrid Wsa IntergrationDocument22 pages3972 L16 Pxgrid Wsa IntergrationJosel ArevaloNo ratings yet
- Math Ia PDFDocument9 pagesMath Ia PDFRama MasriNo ratings yet
- Lab #3 - Assessment Worksheet: Risk - Threat - VulnerabilityDocument4 pagesLab #3 - Assessment Worksheet: Risk - Threat - VulnerabilityNguyen Viet Quang Vu (K15 HCM)No ratings yet
- It100 Assignment No. 9Document7 pagesIt100 Assignment No. 9Andrei Lord Sonido MacaraegNo ratings yet
- HHDocument4 pagesHHSphurti KatiyarNo ratings yet
- Northeastern Univ CoOpDocument88 pagesNortheastern Univ CoOpdmz163No ratings yet
- Palo Alto Panorama Logging ServiceDocument14 pagesPalo Alto Panorama Logging ServiceAnonymous tj8qrbYuuwNo ratings yet
- SFTP Vs Ftps InfographicDocument1 pageSFTP Vs Ftps InfographicKariNo ratings yet
- Datasheet c78 738512Document14 pagesDatasheet c78 738512Gabriela PopescuNo ratings yet
- Gartner SOC Model Guide 2023Document16 pagesGartner SOC Model Guide 2023SixaxiS100% (1)
- Hackathon User ManualDocument11 pagesHackathon User ManualSotaru GojoNo ratings yet
- How To Register in BIRDocument2 pagesHow To Register in BIRKathrine Aycardo100% (1)
- Module 9: Threats, Vulnerabilities, and Attacks: Lesson 1: Understanding Cyber AttacksDocument9 pagesModule 9: Threats, Vulnerabilities, and Attacks: Lesson 1: Understanding Cyber AttacksAntonio BrandãoNo ratings yet
