section 1: introducing group policy what is group policy? group policy scenarios new group policy...

Section 1: Introducing Group Policy

What Is Group Policy?

Group Policy Scenarios

New Group Policy Features Introduced with Windows

Server 2008 and Windows Vista

New Group Policy Features Introduced with Windows

Server 2008 R2 and Windows 7

New Group Policy Features in Windows Server 2012 and

Windows 8 Client

Managing Windows Environments with Group Policy

© 2013 Global Knowledge Training LLC. All rights reserved.

Section Objectives

After completing this section, you will be able to:Define Group PolicyList the ways you can use Group PolicyDescribe the tools, features, and policies you can use

to manage group policiesDescribe the new Group Policy features available in the

latest versions of Windows

1-2


What Is Group Policy?

Group Policy is built on the Active Directory structure

Desktop settings and restrictions

Security policies

Folder redirection

Software deployment

Software restrictions

Logon scripts

Group Policy controls:

1-3


Desktop Settings and Restrictions

Configure standardized settings for the desktop environment

Screen saver Desktop background Shortcuts to Applications

Configure desktop restrictions to reduce support calls Lock the taskbar Prevent access to control panel apps Restrict or hide Start screen/menu items

1-4


Security Policies

Password PolicyAccount Lockout PolicyAudit Policy and Advanced Audit PoliciesUser Rights AssignmentSecurity OptionsEvent LogRestricted GroupsSystem ServicesFile SystemWindows Firewall with Advanced Security

1-5


Folder Redirection

Use Folder Redirection to store the user’s personal documents on a server instead of locally

1-5

AppData(Roaming) Favorites

Desktop Contacts

Start Menu Downloads

Documents Links

Pictures Searches

Music Saved Games

Videos


Software Deployment

Myapp.msi

Distribute MSI packages to the Computer or User

Configure as Assigned or Published

1-6


Software Restrictions

Software Restriction Policies Compatible with Windows XP and later Are more difficult to configure for large numbers of files

AppLocker Policies Compatible with Windows 7 and later Can be created by scanning a folder structure Can use wild-card values to restrict or allow access

1-7


Logon Scripts

Computer scriptsStartup scriptShutdown script

User scriptsLogon scriptLogoff script

Scripts can be written as:ExecutablesVBScript, JavaScript, Perl scriptsPowershell scripts

1-8


Group Policy Scenarios

1-9

Scenario

Prevent changes to the desktop environment

Enforce an Audit policy for servers

Maintain user documents on a central server

Assign a software package to many computers

Prevent users from running unauthorized code

Map a drive letter to a server resource

Solution

Use desktop restriction policy settings

Use security policies

Use Folder Redirection

Create a software deployment policy

Use a software restriction policy

Create a login script in a policy


New Group Policy Features Introduced with Windows Server 2008 and Windows Vista

1-10

Group Policy Management Editor Enhancements

Group Policy Service Changes New GPO Settings



New Feature DescriptionNew format for ADMX (Administrative Templates)

XML format

Starter GPO Templates for GPO creation

Comments for GPOs Ability to add custom comments to GPOs

GPO filtered view Ability to sort or limit the display of policies

GPMC Now the default Group Policy tool

1-11


Group Policy Service Changes

New

Group Policy service Restarts and logoff/logon not required

Local Group Policy enhancements

Multiple local GPOs

Network location awareness

No longer relies on ICMP Ability to sort or limit the display of policies

1-12


New GPO Settings

New

Hundreds of new policy settings have been added:

New power management options Block device driver installation Windows Firewall with Advanced Security options New Windows Internet Explorer options Location-Based printer installation Printer driver installation for non-administrators

1-13


New Group Policy Features Introduced with Windows Server 2008 R2 and Windows 7

1-15

Windows PowerShell Cmdlets

Group Policy Preferences Starter GPOs Administrative Template Settings AppLocker


New Group Policy Features in Windows Server 2012 and Windows 8 Client

1-16

Remote Update from the GPMC

PowerShell Invoke-GPUpdate Group Policy Infrastructure Status Policy Error Links in RSOP Results Hundreds of New GPO Items


Summary

Group Policy is a mechanism for applying computer and user settings to one or many computers throughout an Active Directory environment.

Use Group Policy to: Prevent changes to the desktop environment Enforce an Audit policy for servers Maintain user documents on a central server Assign a software package to many computers Prevent users from running unauthorized code Map a drive letter to a server resource

1-18


Summary (cont.)

New Group Policy features in Windows Server 2008 and Windows Vista

1-18

Feature Description


• New format for ADMX: Based on XML file format; new GPO tools can read ADM and ADMX files

• Starter GPO: Creates a template of GPO settings that you can reuse

• Comments for GPOs: Add custom comments to GPOs• GPO filter view: Displays settings in a variety of ways,

including sort view or filtered view• GPMC: Standard tool for managing group policies

Group Policy Service Changes

• Group Policy service: Runs as a service of its own • Local Group Policy enhancements: Create multiple GPOs for

the local computer• Network location awareness: Group Policy now uses event

detection and event notification and provides faster startup times when group policies are applied


Summary (cont.)

New Group Policy features in Windows Server 2008 and Windows Vista (cont.)

1-19

Feature Description

New GPO Settings

• New power management options: Set central standard for power management settings

• Block device driver installation: Settings are now more granular; can block or allow device driver installation down to a specific PnP hardware identifier; can block installation of removable media devices; can customize a balloon tip message when installation is prevented

• Windows Firewall with Advanced Security options: With a new interface you can easily create outbound filters; IPSec functionality has been integrated directly into the Windows Firewall interface

• New Internet Explorer options: Most new Windows Internet Explorer settings are now configurable through Group Policy; can centrally define homes pages, security settings, history retention, etc.

• Printer installation: Location-based printer installation (shared printer connections are automatically available to computer or user side of the GPO); printer driver installation for non-administrators (installation of printer device drivers now occurs in the background with elevated privileges)


Summary (cont.)

New Group Policy features in Windows Server 2008 R2 and Windows 7

1-20

Feature Description

Windows PowerShell cmdlets

• Manage Group Policy from Windows PowerShell and run Windows PowerShell scripts during logon and startup; cmdlets allow GPO configuration from command line and for automation

Group Policy Preferences

• Additional types of GPO preference items were added

Starter GPOs • New default Starter GPOs were added to the GPMC interface

Administrative Template Settings

• New user interface and additional policy settings were added; Administrative Templates section was augmented with new settings and an editor window that is easier to navigate

AppLocker • A new mechanism for restricting access to software that is only supported by Windows Server 2008 R2 and Windows 7; supports wildcards for version numbering, allowing a single policy to restrict multiple versions of a file; can restrict by user name or group


Knowledge Check

1. What is Group Policy used for? (Choose all that apply.)a. To configure desktop settings

b. To deploy software

c. To enforce security policies

d. To run logon scripts

2. What is Group Policy?It is a mechanism for applying computer and user settings to one or many computers throughout an Active Directory environment.

1-20


Knowledge Check (cont.)

3. Match each Group Policy feature with its correct description.

1-23

Group Policy Feature Description

GPMC A. A tool used to create inbound and outbound firewall policies. IPSec functionality has been integrated directly into the interface.

Windows Firewall with Advanced Security

B. These allow GPO configuration from the command line and for automation.

AppLocker C. These set the central standard for power management settings.

Windows PowerShell cmdlets

D. A standard tool used to manage group policies.

Power management options

E. A new mechanism for restricting access to software that is only supported by Windows Server 2008 R2 and Windows 7; supports wildcards for version numbering, allowing a single policy to restrict multiple versions of a file; can restrict by user name or group.

A

D

E

B

C