9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure.

9.1 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Goals Understand group policy

Understand group policy settings

Identify the role of a group policy at startup and logon

Plan a group policy implementation

Create a group policy object

Assign control over a group policy object

9.2 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Introducing Group Policy Group Policy is an Active Directory feature

Helps administrators specify the standard behavior of users’ desktops

Enforces the specified requirements

You can applied group policies to various Active Directory containers SitesDomainsOrganizational Units (OUs)

(Skill 1)

9.3 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Introducing Group Policy (2) Group Policy is also called a Group Policy Object

(GPO) since it is an object of Active Directory GPO partsGPO parts

A Group Policy Container (GPC) is an Active Directory component and contains GPO attributes, extensions, and version information

A Group Policy Template (GPT) is a collection of folders stored under the SYSVOL\sysvol\domainname\Policies folder on each Windows 2000 domain controller

(Skill 1)

9.4 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

(Skill 1)

Figure 9-1 GPC containers in the Active Directory Users and Computers console

9.5 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

(Skill 1)

Figure 9-2 Adding the Group Policy snap-in to the console

9.6 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

(Skill 1)

Figure 9-3 Accessing the Group Policy snap-in

9.7 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Introducing the Types of Group Policy Settings You can apply group policies to both users and

computers Computer configuration settings

Refer to the group policies for computers, irrespective of the users logging on to them

Apply to a computer during the initialization of the operating system

User configuration settings Refer to the group policies for users, irrespective of the

computer the users log on toApply at the time of user logon

(Skill 2)

9.8 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Introducing the Types of Group Policy Settings (2)

Computer configuration settings and User configuration settings both contain three containers, each of which include several related policies Software Settings container contains the Software

Installation extensionWindows Settings container contains Scripts and

Security Settings extensionsAdministrative Templates container contains all

registry-based Group Policy settings

(Skill 2)

9.9 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

(Skill 2)

Figure 9-4 Group Policy settings in the Group Policy snap-in

9.10 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Identifying the Role of a Group Policy at Startup and Logon

The role of a Group Policy begins when a computer starts up and a user logs onDuring startup and logon, both the Computer

Configuration and the User Configuration settings are applied in a specific sequence

If computer settings and user settings conflict with each other, computer settings take precedence

(Skill 3)

9.11 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Identifying the Role of a Group Policy at Startup and Logon (2)

Processing sequence Is very important when dealing with multiple policies If a conflict occurs in case of multiple policies, the

policy to apply last wins If a computer belongs to a workgroup, it only

processes the local GPO

(Skill 3)

9.12 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Identifying the Role of a Group Policy at Startup and Logon (3)

Exceptions to processing order If the Block Policy Inheritance option is set for a

domain or OU, the GPOs above that point in the structure do not affect users or computers in that structure

If there is a conflict between No Override and Block Inheritance, No Override always wins

If Loopback settings are applied to a GPO list, the default GPO processing order is not maintained

If the No Override option is set for a GPO, no configured policy setting in the GPO can be overridden

(Skill 3)

9.13 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Figure 9-5 The sequence in which computer configuration

and user configuration settings are applied

(Skill 3)

9.14 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Planning a Group Policy Implementation Factors to consider before implementing a Group Policy

include location of GPOs, delegation of authority, and organization structure

Major implementation strategies Centralized design approach suggests that the organization

network should be maintained by a small number of large GPOs

Decentralized design approach uses separate GPOs for specific policy settings

Functional role design approach suggests that the functional roles of users in an organization be used to apply group policies

Central control design approach suggests that you maintain a central control while delegating administration to various OU administrators

(Skill 4)

9.15 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Creating a Group Policy Object After identifying the GPO implementation

strategy for your organization, you need to create a GPO that best suits your requirements

When you install Active Directory, two GPOs are created automaticallyDefault Domain Policy (linked to the domain)Default Domain Controller Policy (linked to the

Domain Controllers OU)

You can link GPOs to sites, domains and OUs

(Skill 5)

9.16 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Creating a Group Policy Object (2) Use the Active Directory Sites and Services

console to link a GPO to a site Use the Active Directory Users and Computers

console to link GPOs to domains and OUs You can create a stand-alone GPO console for

a GPO and access it directly from the Administrative Tools menu

(Skill 5)

9.17 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Figure 9-6 Creating a new GPO

(Skill 5)

9.18 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Figure 9-7 Creating a GPO console

(Skill 5)

9.19 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Assigning Control of a Group Policy Object to Administrators

Once a GPO is created, you should delegate administrative control of the GPO to various administrators in your organization

Delegation relieves the administrative burden that might fall on a single individual

(Skill 6)

9.20 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Assigning Control of a Group Policy Object to Administrators (2)

Use the Properties dialog box for the GPO to assign permissions that delegate the administrative control of a GPOTo provide administrative control of the GPO,

set both the Read and Write permissions to Allow

A user having only Read permissions cannot open the various extensions of the Group Policy snap-in

(Skill 6)

9.21 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Figure 9-8 Selecting the Group Policy object for which you want to assign control

(Skill 6)

9.22 © 2004 Pearson Education, Inc.

Lesson 9: Implementing Group Policy in Windows 2000 Server

Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure

Figure 9-9 Setting permissions

(Skill 6)