Group Policy is a feature of Windows that enables you to manage change and configuration for users and computers from a central point of administration.There are thousands of configuration settings that can be managed with Group Policy.
Configuring a Policy Setting.
A policy setting can have three states: Not Configured, Enabled, and Disabled.
Not Configured means that the GPO will not modify the existing configuration.
you enable or disable a policy setting, a change will be made to the configuration of users and computers to which the GPO is applied.
For example, if you enable the Prevent Access To Registry Editing Tools policy setting, users will be unable to launch the Regedit.exe Registry Editor. If you disable the policy setting, you ensure that users can launch the Registry Editor.
A GPO is an object that contains one or more policy settings that can be apply one or more configuration settings for a user or computer.
A-Local GPOs.
Each computer have one local GPO, which can manage configuration of that system. The local GPO exists whether or not the computer is part of domain, workgroup, or even out of network. It is stored in %SystemRoot%\System32\GroupPolicy. The policies in the local GPO affect only the computer on which the GPO is stored.
B-Domain-Based GPOs.
Domain-based GPOs are created in Active Directory and stored on domain controllers. They
are used to manage configuration centrally for users and computers in the domain.
When AD DS is installed, two default GPOs are created automatically:
1-Default Domain Policy:
This GPO is linked to the domain and it affects all users and computers in the domain (including domain controllers).
2-Default Domain Controllers Policy:
This GPO is linked to the Domain Controllers OU. This GPO affects only domain controllers. The Default Domain Controllers GPO should be modified to implement your auditing policies and user rights required on domain controllers.
SCOPE
The configuration changes in a GPO do not affect computers or users in your network until you have specified the computers or users to which the GPO applies. This is called scoping a GPO.
You can use several methods to manage the scope of GPOs.
1-GPO link.
GPOs can be linked to sites, domains, and OUs in Active Directory. A single GPO can be linked to more than one site or OU.
2- Security filters.
That specify global security groups to which the GPO should or should not apply.
3-Windows Management Instrumentation (WMI).
Filters that specify a scope, on base of a operating system version or free disk space.
Group Policy Refresh.
Whenever you applied Policies Policy settings in the Computer Configuration node are applied at system startup and every 90–120 minutes. User Configuration policy settings are applied at logon and every 90–120 minutes.
You can manually update group policy by using following commands
gpupdate /force
gpupdate /target:computer
gpupdate /target:user
Some policy settings require a logoff or reboot before they actually take effect. You can use following commands to do this without logoff or reboot.
gpupdate /logoff
gpupdate /boot
Categories of settings available in a GPO.
1- Computer Configuration:
The Computer Configuration node contains the settings that are applied to computers, does not matter who logs on to them.
2- User configuration
The User Configuration node contains settings that are applied when a user logs on to the computer.
In both the Computer Configuration and User Configuration nodes, following nodes are available
A-The Software Installation.
It helps you specify how applications are installed and maintained within your organization.
B- Windows setting.
It includes the Scripts, Security Settings, and Policy-Based QoS nodes
C- Administrative Template:
Administrative Templates node contains registry-based Group Policy settings. There are thousands of such
settings available for configuring the user and computer environment.
D-Preferences
Preferences provide more than 20 policies to help you manage an incredible number of additional settings like as:
1-Mapped drives
2-Registry settings
3-Power options
4-Folder options
5-Regional options
Filtering Administrative Template Policy Settings.
With thousands of policies to choose from, it can be difficult to locate exactly the setting you want to configure. The new feature in Windows Server 2008 solves this problem for Administrative Template settings: you can now create filters to locate specific policy settings
Starter GPO:
You can create a new GPO from a starter GPO, in which case, the new GPO is updated with a copy of the settings in Starter GPO. A starter GPO is actually a template means predefined setting that can be linked with GPO that you are creating. Starter GPOs can contain only Administrative Templates policy settings.
No comments:
Post a Comment