Understanding Group Policy on Windows Server 2003 Michael J. Murphy TechNet Presenter [email protected].

Understanding Group Policy on Windows Server 2003

Michael J. MurphyMichael J. MurphyTechNet PresenterTechNet [email protected]

What we will cover:

• Group Policy Concepts

• Linking and Order of Precedence

• Group Policy Management Console

• New Features of Windows 2003 Group Policy

Prerequisite Knowledge• Experience supporting Windows servers

• Experience supporting Microsoft networks

• Familiarity with the Windows server user interface

• Understanding of Active Directory concepts

Level 200Level 200

Agenda• Windows Server 2003 Group Policy

Concepts

• Linking and Order of Precedence

• Group Policy Management Console

• New Features of Windows 2003 Group Policy

Group Policy Management Issues

• Problem: Group Policy is too hard

• Existing UI confusing and limited

• Core capabilities missing – Reporting of GPO settings– Backup/restore of GPOs– Import/export of GPOs

• Existing capabilities not scriptable

Windows Server 2003 Group PolicyGroup Policy Concepts

• Used to manage users and computers– Deploys Policy through Active Directory– Applied at site, domain, and OU levels

• Group Policy is highly flexible– Registry-based policy settings– Security settings– Software installation– User Environment control– Internet Explorer maintenance

Agenda• Windows Server 2003 Group Policy

Concepts

• Linking and Order of Precedence

• Group Policy Management Console

• New Features of Windows 2003 Group Policy

Windows Server 2003 Group PolicyGroup Policy Order of Precedence

Local Security Policy

Site Policy

Domain Policy

Parent OU Policy

Child OU Policy

Windows Server 2003 Group PolicyGroup Policy Objects and Links

• GPOs contain policy settings • Links define what objects the GPO will

target– Scope of Management

• Sites, Domains, OU, OU, etc.

• Filtering can be based on links to Scope Of Management (SOM)

• Group Policy Management Console– Better illustrates the relationship between GPOs

and Links

Agenda• Windows Server 2003 Group Policy

Concepts

• Linking and Order of Precedence

• Group Policy Management Console

• New Features of Windows 2003 Group Policy

Windows Server 2003 Group PolicyGroup Policy Management Console

Windows Server 2003 Group Policy Administrative Template Extension

• Used by Group Policy to configure settings in a Group Policy Object

• Server Side Snap-in– Loads in Group Policy Object Editor– ADM files

• Client-Side Extension– Writes policy settings that update registry keys

on target client computers

Windows Server 2003 Group Policy ADM Files

• Enables configuration of policy settings– Do not actually contain policy settings– Policy settings are contained registry.pol

• Windows Server 2003 contains:– System.adm– Inetres.adm– Conf.adm – Wmplayer.adm– Wuau.adm

• Location of ADM files

Windows Server 2003 Group Policy ADM Files Walkthrough

Windows Server 2003 Group Policy

Registry.pol Files Walkthrough

Windows Server 2003 Group Windows Server 2003 Group PolicyPolicy

Group Policy Concepts and the GPMCGroup Policy Concepts and the GPMC

Editing Group Policy ObjectsEditing Group Policy Objects

Creating and Managing Group PoliciesCreating and Managing Group Policies

demonstrationdemonstration

Windows Server 2003 Group PolicyGroup Policy Capabilities

• Folder redirection

• Backup/Restore

• Software restriction

• WMI Filters

Group Policy Management Backup and Restore

• Backup / Export:– Transfers any live GPO to the file system– Backs up policy settings, ACLs, links to WMI filters

• Restore:– Puts things back exactly as before– GPO must be in the same domain

• Scenario:– Restore a policy to return to original settings

Software Restriction Policies Goals

• New feature of Group Policies

• Allow or restrict access to software– Set default to allow or disallow software– Create rules to bypass the default– Specify affected file extensions

• Prevent:– Viruses– Unapproved or non-standard applications– Any applications you wish to restrict

Software Restriction Policies Rules

• Certificate Rules– Verify digital certificate

• Hash Rules– Identifies software with unique hash

• Internet Zone Rules– Applies to Windows Installer packages

• Path Rules– Define specific path for software

Group Policy Management WMI Filters

Group Policy Management WMI Filters

Software Restriction Policies

Software Restriction Policies

Creating a Path Rule

demonstrationdemonstration

Session Summary• Group Policy allows you to manage and control your environment more easily• Use the new GPMC to manage GPO’s and Security Policies• Take Advantage of New Features of Windows Server 2003 Group Policy

For More Information…

• Visit TechNet at www.microsoft.com/technet• For additional information on books, courses and

other community resources that support this session visit

www.microsoft.com/technet/tnt1-119www.microsoft.com/technet/tnt1-119