More GPO’s & GPP Chapter 7. Agenda Group Policies (the day after) Group Policy Preferences.

More GPO’s & GPPChapter 7

Agenda

• Group Policies (the day after)

• Group Policy Preferences

Group Policies (the day after)

• How can we keep track of what we have done or changed?

• We can name the policy appropriately based on function or grouping of settings• Interactive_Logon_Policy

• Internet_Explorer_Policy

• The GPMC allows us to make comments regarding a particular policy.

• What should we comment on?

• Who’s in charge of the GPO

• Who to call if there is a problem?

• Who is supposed to be affected by this GPO?

• Detailed information about what this GPO should do

• Who will get fired if this doesn’t work


• Comments…

• GPMCSelect PolicyEditRight click on Policy name (see below)Properties


• Comments…


• Controlling how GPO’s run• Disable local GPOs from applying

• CCPoliciesAdmin TemplatesSystemGroup Policy


• Controlling how GPO’s run• Disable Link Enabled Status

• Disable “half” of a Group Policy• Will speed up processing (not very noticeable)


• Controlling how GPO’s run• The Enforced Function

• Guarantees that policy settings within a GPO from a higher level are always inherited by lower levels

• Right click on Policy and choose Enforce

Group Policy Preferences


• Group Policy Preferences (GPP)• Extensions or “new settings”

• Adds more than 3000 policy settings!• Modify the local administrator password on every desktop

• Create a shortcut on the desktop

• Different than normal GPO settings as they are “sorta” duplicate under user and computer settings


• What’s the difference between Group Policies and Preferences?

• *Group Policy settings will:

• not tattoo. In other words, when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used.

• supersede an application's configuration setting. In other words, when a GP policy is configured to a value, the application is aware of that value and always uses it over the configurable value.

• be recognized by an application. In other words, the display of the configuration item under control of a GP policy setting will be unavailable through the user interface. This is where graying out a configuration item on a menu, not displaying a dialog box, or providing a pop-up message explaining the current feature is under administrator control is used to inform the user they can't configure an option.

• *http://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx


• Group Policy Preference settings will:

• tattoo. In other words, when a GPO goes out of scope, the preference value will remain in the registry. An administrator is responsible for making sure these values are set to disable, prior to the GPO going out of scope, if the administrator wants the preference setting removed. The preference setting will not be replaced with the original application configuration value.

• overwrite an application's configuration setting. This is accomplished by overwriting the original user configured-value for the application. No effort is made to retain the original value before overwriting the value with the preference setting. And, as was noted in 1, the overwritten value will not be removed when the GPO goes out of scope.

• not be recognized by an application. In other words, the application's user interface will allow a user to change the configuration item. Most importantly, the Group Policy engine only recognizes when a GPO changes, not when the preference value has been changed. This means the preference setting will be applied once and not automatically reapplied if the user changes the value of the configuration item.


• Group Policy PreferencesSettings are the similar for both user and computer configurations


• Group Policy Preferences (GPP) are essentially an extension DLL (dynamic link library) that does a bunch of stuff.

• Can be “undone” by the user


• Computer Configuration PreferencesWindows Settings

• Environment:

• Set user and system environment variables

• Change the Windows system path variable

• Files• Copy files from point A to point B

• Server share to %Documents% on the local system

• Folders

• Create, delete or empty folders

• Network Shares

• Create shares on workstations or servers

• Shorcuts• Place program or URL on desktops, startup folder, Programs folders, etc

etc.


• Computer/User ConfigurationPreferencesControl Panel


Common Control Panel Settings

• Local users and groups

• Create/change local users

• Modify local user passwords

• Change local user group membership

• Power Options

• Create power options for XP

• Create power plans for Vista and later



• Printers• ComputerLocal/IP

• UserLocal/IP/Shared

Summary

• You can add comments to help document GPOs

• Enforced Function overrules blocking of inheritance

• You can disable “half” of a GPO

• Group Policy settings are “undone” when the system or user falls out of scope (Group Policy is changed/link removed or User/Computer is moved to another container)

• GPP’s are extensions and stay with the system (tattoo’d) regardless of the Group Policy falling out of scope (Group Policy removed/unlinked from OU)

• GPP’s can be undone by the users

More GPO’s & GPP Chapter 7. Agenda Group Policies (the day after) Group Policy Preferences.

Documents

group policy settings

particular policy

group policy object

gp policy setting

belowproperties group

noticeable group policies

preference value

original value