Module 4: Implementing Group Policy v
??To edit the settings for the remaining GPOs
?? Repeat the previous procedure to configure the following Administrative
Templates settings for users.
In this GPO Enable this setting
Restricted Desktop Start Menu & Taskbar\Disable changes to Control
Panel Settings
Start Menu & Taskbar\Disable changes to Taskbar
and Start Menu
Desktop\Hide My Network Places icon on
the desktop
Restricted My Documents
Desktop\Prohibit user from changing My
Documents path
??To allow Group Policy Admins from student domains to administer the
Corporate Standard Desktop GPO
1. In the Add a Group Policy Object Link dialog box, in the All Group
Policy Objects in this domain window, right-click Corporate Standard
Desktop, and then click Properties.
2. On the Security tab, click Add.
3. In the Select Users, Computers, or Groups dialog box, in the Look in box,
select the first student domain, and under Name, double-click Group
Policy Admins.
4. Repeat step 3 for the Group Policy Admins in the remaining student
domains, and then click OK.
5. On the Security tab, under Name, select each instance of Group Policy
Admins, select the Allow check box next to Full Control, and then
click OK.
6. When you have finished configuring GPO settings, in the Add a Group
Policy Object Link dialog box, click Cancel to return to the Properties
dialog box for nwtraders.msft without linking the GPOs that you
just created.
7. Click Cancel to close the Add a Group Policy Object Link dialog box,
and log off Windows 2000.
vi Module 4: Implementing Group Policy
Module Strategy
Use the following strategy to present this module:
?? Introduction to Group Policy
In this topic, you will introduce Group Policy, including a high-level
overview of how Group Policy works. Mention the tasks that an
administrator can perform with Group Policy. Emphasize that by using
Group Policy, an administrator can configure settings once, and
Windows 2000 continually applies those settings to multiple users
and computers.
?? Group Policy Structure
In this topic, you will explain the structure of Group Policy in a network.
First, explain the different types of Group Policy settings. Next, present
information on GPOs. Emphasize that a GPO consists of a Group Policy
container (GPC) and a Group Policy template (GPT). Then present
information on the linking of GPOs to Active Directory
™
directory service
containers. Emphasize that settings in the GPO affect computers and users
in the containers to which the GPO is linked. Demonstrate the process of
creating a GPO. Finally, explain how to link an existing GPO, and
demonstrate the process.
?? How Group Policy Settings Are Applied in Active Directory
In this topic, you will explain how Group Policy is applied in Active
Directory. First, explain the order in which Windows 2000 processes Group
Policy settings. Emphasize that Windows 2000 processes computer settings
before user settings. Then, present information on Group Policy inheritance.
Emphasize that the order in which Group Policy objects are applied is sites,
domains, and then OUs. Next, explain the process that determines resultant
Group Policy. The slide is animated so that you can display a new step on
the slide as you talk about it. Finally, present the class discussion on how
Group Policy is applied. There are two slides. The first slide poses the
question, and the second slide provides the answer. Display the second slide
after students have provided their answers.
?? Modifying Group Policy Inheritance
In this topic, you will explain how to modify Group Policy inheritance.
First, present information on how to block the inheritance of Group Policy
settings from parent containers. Demonstrate the process. Emphasize that a
block cannot stop a forced GPO. Then present information on how to force
Group Policy settings, and demonstrate the process. Next, present
information on filtering the Group Policy settings by using Group Policy
permission. Emphasize that you can only prevent settings from applying to
specific users, computers, or security groups. Finally, present the class
discussion on how Group Policy is applied. The first slide poses the
question, and the second slide provides the answer. Display the second slide
after students have provided their answers.
?? Lab A: Implementing Group Policy
Prepare students for the lab in which they will create and link GPOs and
modify Group Policy inheritance. Students will work alone. Make sure that
they run the command file for the lab. After students have completed the
lab, ask them whether they have any questions.
Module 4: Implementing Group Policy vii
?? Delegating Administrative Control of a Group Policy Object
In this topic, you will explain how to delegate administrative control of a
GPO. Emphasize that an administrator only delegates control of a GPO if
the user that needs control of the GPO settings does not have administrative
privileges for the container to which the GPO is linked.
?? Lab B: Delegating Group Policy Administration
Prepare students for the lab in which they will delegate control of GPOs.
Students will work alone. After students have completed the lab, ask them
whether they have any questions.
?? Best Practices
Present best practices for implementing Windows 2000 Group Policy.
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for course 1558A, Advanced Administration
for Microsoft Windows 2000.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup Requirement 1
?? The labs in this module require a regular user account for the student. To
prepare student computers to meet this requirement, create the user
account manually.
Setup Requirement 2
The labs in this module require the Log on locally right for domain controllers
to be assigned to the Everyone group. To prepare student computers to meet
this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab04\Setup\Lab04.cmd.
?? Assign the right manually.
Setup Requirement 3
The labs in this module require that a shortcut for Active Directory Domains
and Trusts, Active Directory Users and Computers, and Active Directory
Sites and Services exists on the desktop of the regular user account. To
prepare student computers to meet this requirement, perform one of the
following actions:
?? Log on to the domain by using the regular user account and run
C:\MOC\Win1558a\Labfiles\Lab04\Setup\Lab04.cmd.
Important
viii Module 4: Implementing Group Policy
?? Create the shortcuts manually and place them in
C:\Winnt\Profiles\All Users\Desktop.
Setup Requirement 4
The labs in this module require the following OUs and user accounts. A number
(1 or 2) assigned by you is to be substituted for the variable x in the labs. One
student in each pair uses number 1, the other student uses number 2.
This OU In this organizational unit
Accounting x Top Level OU in the domain
Accounts Payable Accounting x
Accounting Receivable Accounting x
This user account In this organizational unit
AcctgUserx Accounting x
AcctAdminx Accounting x
AppUserx Accounting x
APUserx Accounts Payable
ARUserx Accounting Receivable
To prepare student computers to meet this requirement, perform one of the
following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab04\Setup\Lab04.cmd.
?? Create the OUs and user accounts manually.
Lab Results
Performing the labs in this module introduces the following
configuration changes:
?? Students link GPOs from the Nwtraders.msft domain to OUs in
their domain.
?? Students create GPOs linked to Information Services OUs in their domain.
?? Students modify the permissions for the GPOs that they created to allow a
user to administer them.
You can run
C:\MOC\Win1558A\Labfiles\Lab04\Setup\Lab04rm.cmd to remove most
configuration changes introduced during the labs in the module. Remove the
Log on locally right from the Everyone group manually. Manually delete the
GPOs created by students.
Important
Module 4: Implementing Group Policy 1
Overview
? Introduction to Group Policy
? Group Policy Structure
? How Group Policy Settings Are Applied in
Active Directory
? Modifying Group Policy Inheritance
? Delegating Administrative Control of Group Policy
Objects
? Best Practices
Group Policy in Microsoft® Windows® 2000 provides you with greater
administrative control over users and computers in your network. By using
Group Policy, you can define the state of a user’s work environment once, and
then rely on Windows 2000 to continually enforce the Group Policy settings
that you define. You can apply Group Policy settings that are network-wide, or
policies that pertain only to specific groups of users and computers.
Lost productivity is frequently attributed to user errors. By using Group Policy
to reduce the complexity of user environments and to remove the possibility of
users incorrectly configuring these environments, productivity increases, and
the network requires less technical support. Consequently, you lower your total
cost of ownership (TCO).
At the end of this module, you will be able to:
?? Identify how Group Policy simplifies administration in a Windows 2000
network.
?? Identify the structure of Group Policy in a Windows 2000 network.
?? Describe how Group Policy is applied in Active Directory
™
directory service.
?? Modify Group Policy inheritance.
?? Delegate administrative control of Group Policy objects.
?? Apply best practices for implementing Group Policy.
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about using Group Policy to
manage desktop
environments in a
Windows 2000 network.
Briefly present the course
objectives. Do not go into
detail on this topic.
2 Module 4: Implementing Group Policy
Introduction to Group Policy
? Set Centralized and Decentralized Policies
? Ensure Users Have Their Required Environments
? Control User and Computer Environments
? Enforce Corporate Policies
Site
Site
Domain
Domain
OU
OU
Windows 2000 Applies Continually
Windows 2000 Applies Continually
Users
Users
Computers
Computers
Administrator Sets Group Policy Once
Administrator Sets Group Policy Once
Group Policy
Group Policy
Group Policy is the technology that allows you to define user desktop
environments once, with user and computer settings, and then rely on
Windows 2000 to continually enforce the policy that you defined throughout
the network. You can associate Group Policy settings with Active Directory
containers: sites, domains, and organizational units (OUs). The Group Policy
then affects all users and computers in those containers.
By using Group Policy you can:
?? Centralize policies by setting corporate-wide policy at the site or domain
level, or decentralize Group Policy settings by setting department-wide
policy at an OU level.
?? Ensure that users have the user environments that they need to perform their
jobs by controlling their environments. This includes Group Policy that
controls registry settings (applications and system configuration settings),
scripts to modify the computer and user environment, automated software
installations, and security settings for local computers, domains, and
networks. You can also control where users’ data folders are stored.
?? Lower the cost of operation by controlling user and computer environments.
This reduces the level of technical support that users require and lost user
productivity due to user error. For example, by using Group Policy, you can
prevent users from making changes to system configurations that can make
a computer inoperable, or you can prevent them from installing applications
that they do not require.
?? Enforce a corporation’s policies, including business rules, goals, and
security needs. For example, you can ensure that security requirements for
all users match the security required by the corporation, and that all users
have the required Human Resource documents or company mission
statements available on their desktops.
Slide Objective
To introduce Group Policy
and to present the
advantages of using Group
Policy when administering a
Windows 2000 network.
Lead-in
Windows Group Policy
provides you with
tremendous capabilities to
administer your network.
After defining what Group
Policy can do, briefly
discuss the bullets on
the slide.
Key Points
Administrators can use
Group Policy to configure
settings once and have
Windows 2000 continually
apply those settings.
You can associate Group
Policy with specific Active
Directory containers (sites,
domains, and OUs).
Module 4: Implementing Group Policy 3
? Group Policy Structure
? Types of Group Policy Settings
? Group Policy Objects
? Group Policy Objects and Active Directory Containers
? Creating a Group Policy Object
? Linking an Existing Group Policy Object
The structure of Group Policy provides greater flexibility in managing users
and computers. The detailed settings contained in a Group Policy object (GPO)
allow you to control specific items in a variety of areas. Because part of a GPO
lives in Active Directory, you can associate GPOs with different Active
Directory containers (sites, domains, or OUs). Because you can associate GPOs
with different levels in Active Directory, you can set Group Policy settings that
are organizational-wide or that affect only one department.
Slide Objective
To introduce how Group
Policy is structured in
Windows 2000.
Lead-in
You need to understand the
structure of Group Policy in
order to apply it efficiently
and correctly.
Briefly mention the Group
Policy structure topics that
are covered here. Do not go
into detail on this topic.
4 Module 4: Implementing Group Policy
Types of Group Policy Settings
Types of Group Policy Settings
Types of Group Policy Settings
Types of Group Policy Settings
Administrative
Templates
Administrative
Templates
Registry-based Group Policy
settings
Registry-based Group Policy
settings
Security
Security
Settings for local, domain, and
network security
Settings for local, domain, and
network security
Software
Installation
Software
Installation
Settings for central
management of software
installation
Settings for central
management of software
installation
Scripts
Scripts
Startup, shutdown, logon, and
logoff scripts
Startup, shutdown, logon, and
logoff scripts
Folder
Redirection
Folder
Redirection
Settings for storing of users’
folders on a network server
Settings for storing of users’
folders on a network server
You can configure Group Policy settings to define the policies that affect users
and computers. The different types of settings you can configure are:
?? Administrative Templates. Registry-based settings that allow you to
configure application settings and user desktop environments. This includes
the operating system components and applications to which users can gain
access, the degree of access to Control Panel options, and control of users’
offline files.
?? Security. Settings that allow you to configure local computer, domain, and
network security settings. This includes controlling user access to the
network, setting up account and audit policies, and controlling user rights.
For example, you can set the maximum number of failed logon attempts that
a user account can have before it is locked out.
?? Software Installation. Settings that allow you to centralize the management
of software installations, updates, and removals. You can cause applications
to automatically install on client computers, to be automatically upgraded,
or to be automatically removed. You can also publish applications so that
they appear in Add/Remove Programs. This provides users with a central
location to obtain applications for installation.
?? Scripts. Settings that allow you to specify when Windows 2000 runs
specific scripts. You can specify when a computer starts and shuts down,
and when a user logs on and logs off. You can specify scripts to perform
batch operations, control multiple scripts, and determine the order in which
they run.
?? Folder Redirection. Settings that allow you to store specific user profile
folders on a network server. The settings create a link in the profile to the
network share, but the folders appear locally. The user can gain access to the
folder on any computer in the network. For example, you can redirect a
user’s My Documents folder to a network share.
Slide Objective
To describe the different
types of Group Policy
settings that an
administrator can configure.
Lead-in
To set up Group Policy, you
must configure the Group
Policy settings that you want
to apply. Windows 2000
organizes these settings into
different types to make
this easier.
Show the different Group
Policy settings to students
by opening Group Policy
and expanding Computer
Configuration or
User Configuration.
Tell students that they
should review the settings in
detail when planning their
Group Policy strategies.
Mention to students that
there are a large number of
Administrative Template
settings. They can learn
more about these settings in
module 5, “Using Group
Policy to Manage User
Environments,” in course
1558A, Advanced
Administration of Microsoft
Windows 2000.
Key Point
Because of the different
types of Group Policy
settings, administrators
have flexibility in how they
use Group Policy.
Module 4: Implementing Group Policy 5
Group Policy Objects
Group Policy Object
?Contains Group Policy settings
?Content stored In two
locations
? Located in Active Directory
? Provides version information used
by domain controllers
? Located in domain controller
shared Sysvol folder
? Provides Group Policy settings
that computers running
Windows 2000 obtain and apply
Group Policy Container
Group Policy Template
The GPO is the mechanism for implementing Group Policy. A GPO contains
settings for different types of Group Policy and is associated with selected
Active Directory containers (sites, domains, and OUs). Windows 2000 then
applies the Group Policy settings contained in the GPO to the user and
computer objects in the container with which the GPO is associated.
The content of a GPO is actually stored in two different locations. Those
locations are:
?? The Group Policy container (GPC). The GPC is an Active Directory object
that contains GPO attributes and version information. Because the GPC is in
Active Directory, computers can access it to locate Group Policy templates,
and domain controllers can access it to obtain version information.
Domain controllers use the version information to verify they have the most
recent version of the GPO. If they do not, replication occurs with the
domain controller that has the latest version of the GPO.
To view the GPC in Active Directory, enable Advanced Features in
Active Directory Users & Computers, expand the domain, expand the
System container, and then expand the Policies container.
?? The Group Policy template (GPT). The GPT is a folder hierarchy in the
shared Sysvol folder on domain controllers. When you create a GPO,
Windows 2000 creates the corresponding GPT folder hierarchy. The GPT
contains all Group Policy settings and information, including administrative
templates, security, software installation, scripts, and folder redirection
settings. Computers connect to the Sysvol folder to obtain the settings.
The name of the GPT folder is the globally unique identifier (GUID) of the
GPO that you created and is identical to the GUID used to identify the GPO
in the GPC. The path is systemroot\Sysvol\sysvol.
Slide Objective
To explain the GPO and
its components.
Lead-in
The mechanism for
implementing Group Policy
settings is the Group Policy
object. It contains the
settings that you configure.
If students ask about the
GUID, mention that it is a
unique 128-bit number that
a domain controller assigns
to an object when it is
created. The GUID is stored
as an attribute of the object
and is used to identify the
object in the domain,
domain tree, and forest.
Users cannot change or
remove the GUID.
Delivery Tip
Open Active Directory Users
and Computers and show
students where the GPC is
stored. Then open the
systemroot/Sysvol/sysvol
folder in Windows Explorer
and show students where a
GPT is stored.
Key Points
The GPO is the mechanism
for implementing Group
Policy. Its content is stored
in the GPC and GPT. The
GPC is stored in Active
Directory and provides the
version information.
The GPT contains the
settings and is stored in
the Sysvol folder on
domain controllers.
Note
6 Module 4: Implementing Group Policy
Group Policy Objects and Active Directory Containers
? GPO Settings Affect User and Computer Objects in
Containers to Which a GPO Is Linked
? GPOs Cannot Be Linked to Default Active Directory
Containers
Site
Site
Domain
Domain
OU
OU
OU
OU
OU
OU
OU GPO
OU GPO
OU GPO
OU GPO
Site GPO
Site GPO
Domain GPO
Domain GPO
GPOs are associated, or linked, to specific Active Directory containers: sites,
domains, and OUs. This allows you to set centralized and decentralized
policies. The linking of a GPO to a container causes the Group Policy settings
to affect user and computer objects in that container.
The ability to link existing GPOs provides flexibility when implementing
Group Policy settings. You can link GPOs in the following ways:
?? Link one GPO to multiple containers in your network. This provides you
with the ability to configure Group Policy settings that apply to users and
computers in different OUs. For example, you can create a GPO that runs a
logon script and then link it to OUs that have users for whom you want the
script to run.
?? Link multiple GPOs to one container. Rather than have all of the different
types of Group Policy settings for a container in one GPO, you can create
several GPOs for different types of Group Policy settings and then link them
to the appropriate containers. For example, you can link a GPO that contains
network security settings, and another GPO that contains software
installation, to the same OU. These multiple GPOs can also be linked to
other OUs.
You cannot link GPOs to the default Active Directory containers—
Users, Computers, and Builtin. Although these containers exist within Active
Directory, they are not OUs.
Slide Objective
To show how GPOs are
linked in Windows 2000.
Lead-in
Group Policy objects, or
GPOs, are linked or
associated with Active
Directory containers. After
you link a GPO to a
container, the settings in
that GPO apply to the
users and computers in
the container.
Key Points
Group Policy objects are
linked to Active Directory
containers. This linking
makes the GPO settings
affect computers and users
in the containers.
An administrator can link
one GPO to multiple
containers, and multiple
GPOs to one container.
An administrator cannot link
GPOs to the default Active
Directory containers—
Computers, Users, and
Builtin—because they are
not OUs.
Important
Không có nhận xét nào:
Đăng nhận xét