Chapter 7, Designing Group Policy

|1|Chapter Overview

Planning Deployment of Group Policy

Troubleshooting Group Policy

Chapter 7, Lesson 1

|2|Planning Deployment of Group Policy

|3|1.Group Policy Overview

A.Group Policy allows centralized control of user and computer configuration settings.

B.Group Policy uses Active Directory to centralize management and standardize security settings.

C.Use the Block Policy Inheritance attribute or the No Override attribute to modify the default inheritance model.

|4|2.Planning Group Policy Inheritance

A.Introduction

1.Inheritance simplifies Group Policy administration by allowing widespread policy settings only to higher-level Ous.

2.A Group Policy can be applied at different levels within Active Directory by defining Group Policy objects that are linked to sites, domains, or OUs.

3.The Group Policy is applied to all computer or user objects within the container where the Group Policy object is defined.

4.Effective permissions are based on the inheritance model.

5.The settings applied to an OU typically take precedence.

|5|B.Group Policy application order

1.Local Group Policies

a.If applied first, centralized Group Policy settings take precedence.

2.Site Group Policies

a.Do not define Site Group Policies.
b.Site Group Policies are stored in the system volume of the DCs in the domain where the Site Group Policy was defined.
c.The Windows 2000 client must connect to a DC where the site policy was defined to download the Group Policy.
d.If the DCs are not located at the local site, logon times might be slow.

3.Domain Group Policies

a.Domain Group Policies are used to define standard settings that apply to all computers in the domain.
b.Account Policy settings are domain-level settings.

4.OU Group Policies

a.OU Group Policies are most effective when applied higher in the OU structure.
b.Group Policy settings affect a larger number of computers or users when applied at top-level OUs.

5.Sub-OU Group Policies

a.Sub-OU Group Policies are applied last.
b.Group Policy settings are more specific in lower-level OUs.
c.These Group Policy settings affect a smaller number of user or computer objects.

|6|C.Assessing Group Policy application

1.Security requirements must be met without significantly affecting logon performance.

2.Use the following design strategies:

a.Disable unused portions of Group Policy.
b.Minimize the levels at which Group Policy is applied.
c.Avoid cross-domain Group Policy object assignments.

|7|D.Block Policy Inheritance attribute

1.Use the Block Policy Inheritance attribute to prevent the application of higher-level Group Policies.

2.Block Policy Inheritance complicate the troubleshooting of Group Policy application problems.

3.Adding new OUs or redesigning the OU structure removes the need to apply the Block Policy Inheritance attribute.

E.Configuring the No Override attribute

1.The No Override attribute is used when an administrator does not want administrators of lower-level OUs to block critical Group Policy settings.

2.Lower-level Group Policy objects cannot override higher-level Group Policy settings.

3.Do not include settings that can be overridden in the Group Policy.

4.Create a separate Group Policy object containing only those settings to be applied to all objects within the container structure.

|8|F.Making the decision: designing Group Policy

1.To simplify the troubleshooting of Group Policy

a.Allow only default inheritance to take place.

b.Implementing Block Policy Inheritance or No Override attributes might require extensive reworking of the OU design.

2.To minimize the time spent processing Group Policy during logon

a.Minimize the number of levels where Group Policy is applied.

b.Avoid cross-linking Group Policy objects between domains.

3.To prevent blocking of key Group Policy settings

a.Break the key settings into a separate Group Policy object and apply the No Override attribute to the Group Policy object.

4.To prevent users from changing configuration by applying Local Group Policies

a.Ensure that important settings are defined in Group Policy.

(1)Group Policy settings will always take precedence over local Group Policy settings.

5.To apply central Group Policy that will affect all users

a.Apply the Group Policy object higher in the Active Directory hierarchy.

(1)Commonly applied at the domain or at a top-level OU.

6.To apply specific Group Policy to a limited number of computers or users

a.Apply the Group Policy object at the OU where the user or computer objects are located in Active Directory.

|9|G.Applying the decision: deploying software applications at Wide World Importers

1.Create separate Group Policy objects for the engineering.wideworldimporters.tld and wideworldimporters.tld domains.

a.If the Group Policy object to install Office is defined in the wideworldimporters.tld domain and then cross-linked to the engineering.wideworldimporters.tld domain, the Engineering department will have slower logons.

b.Better performance can be achieved by defining two Group Policy objects.

2.Apply the Group Policy that assigns Office to all employees at the wideworldimporters.tld domain and the engineering.wideworldimporters.tld domain.

a.The application is available to all users in each domain.

|10|3.Remove the computer component of the Office installation Group Policy object.

a.The computer component of the Group Policy object does not need to be enabled..

b.The application will be user-assigned.

4.Apply the Group Policy object to assign the accounting software at the OU=Computers, OU=Account, OU=cityname, DC=Wideworldimporters, DC=TLD containers.

a.The Group Policy will be linked to six separate OUs.

5.Remove the user component of the accounting software installation Group Policy object.

a.The user component of the Group Policy object does not need to be enabled.

b.The application will be user-assigned.

6.The No Override and Block Policy Inheritance attributes do not need to be implemented.

|11|3.Filtering Group Policy by Using Security Groups

A.Introduction

1.Group Policy is not applied to security groups.

2.Group Policy is based on the location of objects within the Active Directory hierarchy.

3.By default, Group Policies apply to all users and computers within a site, domain, or OU.

4.Use security groups to filter Group Policy application so that it applies only to specific users and groups within a given object.

5.When defining a Group Policy object, define which security groups will be able to Read and Apply Group Policy in the Group Policy object’s Security tab.

|12|B.Making the decision: designing Group Policy filtering strategies

1.To ensure that a Group Policy is applied to a security group

a.Assign both the Read and Apply Group Policy permissions to the security group

2.To prevent an OU administrator from blocking inheritance

a.Do not assign the OU administrator the Write permission for the Group Policy object

b.Apply the Group Policy object at the parent OU and filter the Group Policy object so that it is applied to only the computers or users in the child OU

3.To prevent application of a Group Policy object to a specific group of users or computers

a.Create a security group with those users or computers as members

b.Assign the security group the Deny permission for Apply Group Policy, which prevents the Group Policy object from being applied to the security group

|13|C.Applying the decision: Group Policy filtering at Wide World Importers

1.Create two custom domain local groups named FullTimeGP and ContingentGP.

a.Assign Read and Apply Group Policy permissions to these domain local groups in the Office Group Policy object’s Security tab.

2.Create two custom global groups named FullTimeEmployees and ContingentStaff that contain all full-time staff and all contingent staff.

a.These global groups will be members of the FullTimeGP and ContingentGP domain local groups.

3.Configure the security for the Office Group Policy so that only the FullTimeGP domain local group has Read and Apply Group Policy permissions.

a.Ensure that only the full-time staff has the Office software assigned by using Group Policy.

4.The network administrators could also configure the Office Group Policy to have the No Override attribute.

a.Prevents regional office administrators from blocking the installation of Office.

b.Is not required for the Office Group Policy because it is not a security setting.

Chapter 7, Lesson 2

|14|Troubleshooting Group Policy

|15|1.Assessing Group Policy Troubleshooting

A.Troubleshooting Group Policy application

1.Inspect the Active Directory hierarchy.

a.Because there is a default inheritance order for Group Policies, inspect the Active Directory hierarchy to determine the location of Group Policy objects that affect the user or computer.

2.Inspect applied Group Policies by using the Gpresult utility.

a.Gpresult is a utility from the Microsoft Windows 2000 Resource Kit.

b.Use Gpresult to show which Group Policies were applied to the computer or user.

c.Gpresult lists all group memberships of the user or computer being analyzed.

d.This group membership information is useful in troubleshooting security group filtering.

|16|B.Gpresult [/V] [/S] [/C | /U] [/?]

1./V runs Gpresult in verbose mode.

2./S runs Gpresult in super verbose mode.

3./C only displays the Group Policy objects applied to the computer.

4./U only displays the Group Policy objects applied to the user.

|17|2.Making the Decision: Troubleshooting Group Policy Application

A.To determine all possible locations where Group Policy objects might be defined

1.Inspect the Active Directory structure to determine the site, domain, and OUs that could have Group Policy applied to the user or computer.

B.To determine whether the Group Policy that was applied is a user or computer configuration setting

1.Use the Gpresult utility from the Microsoft Windows 2000 Resource Kit to determine which Group Policies were applied to the computer or user.

C.To determine why a higher-level Group Policy is not applied

1.Look for Block Policy Inheritance attributes or conflicting settings at an OU closer to the user or computer object than where the higher-level Group Policy is defined.

2.Determine if Group Policy filtering has been configured.

a.If the affected computer or user is not a member of a security group that has the Read and Apply Group Policy permissions assigned, the Group Policy object will not be applied.

D.To determine why a lower-level Group Policy is not applied

1.Look for a Group Policy object with the No Override attribute set at an OU, domain, or site higher in the hierarchy.

2.Determine if Group Policy filtering has been configured.

a.If the affected computer or user is not a member of a security group that has the Read and Apply Group Policy permissions assigned, the Group Policy object will not be applied.

E.To determine why a Group Policy does not apply to all computers or users within a site, domain, or OU

1.Inspect the Group Policy object’s Security tab to determine which security groups have been assigned the Read and Apply Group Policy permissions.

a.To apply Group Policy, both permissions must be assigned.

|18|3.Applying the Decision: Troubleshooting Group Policy Application at Wide World Importers

A.Verify the location of Don’s user account in Active Directory.

1.OU=Users, OU=Accounting, OU=Toronto, DC=Wideworldimporters, DC=tld.

B.Determine where Group Policies might exist that could affect Don's user account for application of Group Policy.

1.Group Policy could be applied to Don’s user account from the following locations:

a.Toronto site

b.wideworldimporters.tld domain

c.Toronto OU

d.Accounting OU

e.Users OU

C.Run Gpresult to determine all user Group Policies that were applied to Don's user account at logon.

1.Run Gpresult /U /S at Don’s computer to determine which user Group Policy objects were applied when he logged on.

2.The results would show that the Office Group Policy object was not applied.

D.Determine if filtering is affecting the Group Policy application.

1.The Office Group Policy object is applied only to full-time employees in the wideworldimporters.tld domain.

2.Don’s account was not made a member of the FullTimeEmployees global group and he is still a member of the ContingentStaff global group.

3.Don will not have the Microsoft Office Group Policy applied to his user account until he is made a member of the FullTimeEmployees global group and logs off and back on to the network to repopulate his Access Token .

|19|Chapter Summary

Group Policy Overview

Planning Group Policy Inheritance

Filtering Group Policy by Using Security Groups

Assessing Group Policy Troubleshooting

Outline, Chapter 71

Designing Microsoft Windows 2000 Network Security