Module 5: Creating

and Configuring
Group Policy
Module Overview
• Overview of Group Policy

• Configuring the Scope of Group Policy Objects

• Evaluating the Application of Group Policy Objects

• Managing Group Policy Objects

• Delegating Administrative Control of Group Policy

Lesson 1: Overview of Group Policy
• What Is Group Policy?

• Group Policy Settings

• How Group Policy Are Applied

• Exceptions to Group Policy Processing

• Group Policy Components

• What Are ADM and ADMX files?

• What Is the Central Store?

• Demonstration: Configuring Group Policy Objects

 What Is Group Policy?

Group Policy enables IT administrators to automate one-to-many

management of users and computers

Use Group Policy to:

• Apply standard configurations: (e.g.security, windows components)

• Deploy software: (<10MB)

• Enforce security settings: only allow standard user rights (over-ride local setting)

• Enforce a consistent desktop environment

Local Group Policy is always in effect for local and domain users and local
computer settings: (Domain user> Local user), (user>computer)
Group Policy Settings

Group Policy • Software

settings for • Windows
users control • Security
these settings:
• Desktop

Group Policy • Software

settings for
• Windows
computers
control these • Security
settings: • Operating systems
How Group Policy Is Applied

Computer starts
Refresh Interval Every 90 minutes

• Computer settings
applied (apply new setting every 90min)
• Startup scripts run

User logs on
Refresh Interval Every 90 minutes

• User settings applied

• Logon scripts run
 Exceptions to Group Policy Processing

• =500 kilobits per second (kbps) by default

• Certain client side extensions are not
processed
Slow links • Prior to Windows Vista, ICMP is used to
detect a slow link
• Windows Vista uses Network Location
Awareness
• Windows XP and Windows Vista use cached
credential for faster logons
Cached
• Many GPO settings take two logons to take
credentials effect

Additional exceptions (GP cannot be applied):

• Remote access connections: similar to slow link
• Moving a user or computer object in AD DS, need to re-start the computer
Group Policy Components

Group Policy Container

• Stored in AD DS
• Provides version information
Group Policy Object

Group Policy Template

• Contains Group Policy settings

• Stores content in two locations

• Stored in shared SYSVOL folder

• Provides Group Policy settings
• Supports both ADM and
ADMX templates
What Are .ADM and ADMX Files?

ADM files are: >3MB/file, before 08 server

• Copied into every GPO in SYSVOL

• Difficult to customize, different versions

ADMX files are:after vista, 08 server

• Language neutral
• Not stored in the GPO, only stored in central store
• Extensible through XML, a standard version to customize
What Is the Central Store?

The Central Store:

• Is a central repository for ADMX(syntax) and ADML(loading) files
• Is stored in SYSVOL
• Must be created manually
• Is detected automatically by Windows Vista or Windows
Server 2008

ADMX files

Windows Vista
or Windows Server 2008 Domain controller Domain controller
workstation with SYSVOL with SYSVOL
Demonstration: Configuring Group Policy Objects
In this demonstration, you will see how to:
• Create a GPO

• Configure settings
Lesson 2: Configuring the Scope of Group
Policy Objects
• Group Policy Processing Order

• What Are Multiple Local Group Policy Objects?

• Options for Modifying Group Policy Processing

• Demonstration: Configuring Group Policy Object Links

• Demonstration: Configuring Group Policy Inheritance

• Demonstration: Filtering Group Policy Objects Using

Security Groups
• Demonstration: Filtering Group Policy Objects Using
WMI Filters
• How Does Loopback Processing Work?

• Discussion: Configuring the Scope of Group Policy

Processing
Group Policy Processing Order/Priority
GPO1

Local group

GPO2
Sit
e
GPO3
GPO4
Domai
n

GPO5
OU

OU
OU OU
OU
What Are Multiple Local Group Policy Objects?

• One layer of computer configurations that applies to

all users

• Layers apply only to individual users, not to groups

• There are three layers of user configurations:

• Administrator
• Non-Administrator
• User-specific
Options to Modify Group Policy Processing
Five methods to modify GPO default processing:

• Block inheritance

• Enforcement inheritance

• Filtering using:
• 1. Security groups filters or
• 2. WMI (Windows Mgmt Instrumentation) filters
• Write the (Query: namespace: API

• Disabling GPOs

• Loopback processing:
• merge/ replace (computer/ user setting)
Demonstration: Configuring Group Policy
Object Links
In this demonstration, you will see how to:
 Create and link GPOs to different locations within AD DS
 Disable a GPO link
Demonstration: Configuring Group
Policy Inheritance
In this demonstration, you will see how to:
 Block GPO inheritance
 Enforce GPO inheritance
Demonstration: Filtering Group Policy Objects
Using Security Groups
In this demonstration, you will see how to filter the
application of GPOs using security groups
Demonstration: Filtering Group Policy Objects
Using WMI Filters
In this demonstration, you will see how to create and assign
a WMI filter
How Does Loopback Processing Work?
Discussion: Configuring the Scope of Group Policy
Processing
Woodgrove Bank Domain Tree

Woodgrove Bank
Head Office site

Head Office Winnipeg Slow link Head Office

Branches

High-speed link
Toronto

Winnipeg
Toronto site

Servers

SQL Server

Exchange
Server
Lesson 3: Evaluating the Application of Group
Policy Objects
• What Is Group Policy Reporting?

• What Is Group Policy Modeling?

• Demonstration: How to Evaluate the Application of Group

Policy
 What Is Group Policy Reporting?

Group Policy reporting is a method of planning and

troubleshooting Group Policy

• Group Policy results are provided by the GPMC :

•(Group policy manqgement console)

• GPResult is a command line utility

What Is Group Policy Modeling?

The Group Policy Modeling Wizard calculates the simulated net

effect of GPOs

The Group Policy Modeling Wizard simulates:

• Site membership
• Security group membership
• WMI filters
• Slow links
• Loopback processing
• The effects of moving user or computer objects to a
different Active Directory container
Demonstration: How to Evaluate the Application
of Group Policy
In this demonstration, you will see how to run each of the
tools for reviewing Group Policy application
Lesson 4: Managing Group Policy Objects
• GPO Management Tasks

• What Is a Starter GPO?

• Demonstration: How to Copy a GPO

• Demonstration: Backing up and Restoring GPOs

• Demonstration: Importing a GPO

• Migrating Group Policy Objects

GPO Management Tasks

GPO management tasks:

• Back up GPOs
• Restore GPOs
• Copy GPOs
• Import GPOs
What Is a Starter GPO?
• Stores administrative template settings on which the new
GPOs will be based
• Can be exported to .cab files

• Can be imported into other areas of the enterprise

Exported to cab file Imported to GPMC

starterGPO Load
.cab file
cabinet file
Demonstration: How to Copy a GPO
In this demonstration, you will see how to copy a GPO
Demonstration: Backing up and Restoring GPOs
In this demonstration, you will see how to back up and
restore a GPO
Demonstration: Importing a GPO
In this demonstration, you will see how to:
 Import a GPO
 Use a migration table
 Migrating Group Policy Objects

The ADMX Migrator utility:

• Can be used to convert custom ADM files to ADMX

• Is GUI-based, and can be downloaded from

the Microsoft download site utility
Lesson 5: Delegating Administrative Control of
Group Policy
• Options for Delegating Control of GPOs

• Demonstration: How to Delegate Administrative Control

of GPOs
Options for Delegating Control of GPOs

Methods to delegate Create GPOs Edit or Link GPOs to Use reporting

control of GPOs in the delete GPOs containers tools
domain

Membership in Group
Policy Creator Owners
group or explicit
permission to create
GPOs
Assign Edit rights to
individual policies

Delegate the right to

link GPOs to containers

Delegate the right to

use Group Policy
reporting tools
Demonstration: How to Delegate Administrative
Control of GPOs
In this demonstration, you will see how to delegate the
right to create, edit, link, and use the reporting tools for
Group Policy
Lab: Creating and Configuring GPOs
• Exercise 1: Creating Group Policy Objects

• Exercise 2: Managing the Scope of GPO Application

• Exercise 3: Verifying GPO Application

• Exercise 4: Managing GPOs

• Exercise 5: Delegating Administrative Control of GPOs

Logon information
Virtual machine NYC-DC1, NYC-CL1

User name Administrator

Password Pa$$w0rd

Estimated time: 75 minutes

Lab Review
• What other method could be used to grant a user the right
to create GPOs in the domain?
• If you need to apply a GPO to computers that have certain
services installed, what is the best approach?
Module Review and Takeaways
• Considerations

• Review questions