70 290 MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9 Implementing and Using Group Policy Redirecting Folders Allows you to redirect the contents of a user s profile to a network location Profile contents that can be redirected are Application data Desktop My Documents Start menu Redirection is useful because it Aids in backup Reduces logon time Allows creation of a standard desktop for multiple users 2 Folder Redirection 3 Redirecting Folders continued 4 The order of policy inheritance Local Computer Policy Site Policy GPO Site Site Domain Policy GPO Domain A Payroll OU Sales OU Product OU Sales Policy GPO 5 Managing Group Policy Inheritance Specific order for GPO application Local computer Site Domain Parent OU Child OU By default all GPO settings are inherited At each level there can be multiple GPOs Policies are applied in the order that they appear on the Group Policy tab for each container bottom GPO first Applying a large number of GPOs can affect startup and logon performance 6 Managing Group Policy Inheritance continued Conflicts are resolved according to a set formula Later Policy Wins Computer Policy Wins Policies are updated automatically at intervals and can be updated manually Policies can be linked to a site domain or specific OU containers Multiple Group Policies can be assigned to a single container A single Group Policy can be linked to multiple containers 7 Configuring Block Policy Inheritance No Override and Filtering These options allow default behavior to be changed for specific containers Can change default inheritance policy Can change default conflict resolution Can change permissions for a specific member within a group to deny GPO application for that member 8 Blocking Group Policy Inheritance To change default inheritance use the Block Policy inheritance check box on the Group Policy tab for a child container Child will not inherit parent s policies Useful if one OU needs to be managed separately 9 Configuring No Override If a policy is configured with No Override It will be enforced despite conflicts in lower level policies It will be enforced on lower level containers with Block Policy inheritance set 10 Filtering Using Permissions Prevents policy settings from applying to a particular user group or computer within a container To filter a GPO from a particular container member deny Read and Apply Group Policy permissions for the member account only 11 Troubleshooting Group Policy Settings Potential trouble areas Order of Group Policy processing Improper use of No Override or Block Policy inheritance settings Read and Apply Group Policy permissions Utilities that show effective Group Policy settings GPRESULT Command line utility Resultant Set of Policy RSoP Graphical utility 12 Deploying Software Using Group Policy Applications that can be deployed using Group Policy include Business applications e g Microsoft Office Anti virus software Software updates e g service packs Four phases of software rollout Software preparation Deployment Software maintenance Software removal 13 Software Preparation Microsoft Windows installer package MSI MSI file contains all of the information needed to install an application in a variety of configurations Software vendors include preconfigured MSI packages For older applications can create MSI packages using 3rd party utilities e g VERITAS WinInstall LE To install place MSI file in a shared folder and configure Group Policy to access for installation 14 Software Preparation continued If application doesn t have an MSI package can use ZAP file Text file used by Group Policy to deploy an application Can only be published and not assigned Is not resilient Requires user intervention and proper permissions 15 Deployment Two ways to deploy an application Assigning applications Publishing applications 16 Assigning Applications When a policy is created to assign an application Any user who the policy applies to has a shortcut on the Start menu Application is installed when user clicks shortcut the first time or opens it with an associated document If policy configured in computer section application is installed next time the computer is started Applications are resilient if files are corrupted will reinstall itself 17 Publishing Applications When a policy is created to publish an application Not advertised in Start menu Installed using the Add Remove Programs applet or by opening an associated document Only published to users and not computers 18 Configuring the Deployment Create or edit a GPO and specify deployment options Assign or publish application to computers or users to install at the appropriate time 19 Software Maintenance Software must be maintained with patches and updates Deployment of patches and updates can be Mandatory upgrade Optional upgrade Redeployment of an application 20 Software Maintenance 21 Software Removal Application must have been originally installed using a Windows installer package Removal can be Forced removal Optional removal Forced removal uninstalls application and prevents it from being reinstalled Optional removal does not uninstall application but does prevent it from being reinstalled once removed 22 Software Removal 23 Group Policy Over Slow Links Slow link connection 500 kbps by default Configurable via policy setting When slow link is detected Security Settings and Administrative Templates are always applied By Default Software Installation Scripts and Folder Redirection are not applied Configurable via policy setting for each extension RAS does not necessarily imply slow link 24 DC Issues Avoid modifying the default GPOs Default Domain Policy Default Domain Controllers policy Exceptions Account Policy should be set only in the Default Domain Policy not in any other GPO at the domain level User rights for DCs should only be contained in the Default DC Policy As required for app compat if you install apps on DCs avoid this Avoid installing apps on DCs that modify security policy automatically Ensure all DCs receive consistent policy settings Do not filter policy settings on individual DCs All DCs should remain in the Domain Controllers OU 25 26