Documente Academic
Documente Profesional
Documente Cultură
Section Objectives
Section Overview
This section describes the differences between local and domain policies and the Group Policy
management tools you can use to manage these policies. One of these tools is the Group
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize=
1/32
16/11/2014
2/32
16/11/2014
Using Gpedit.msc
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize=
3/32
16/11/2014
The advantage of this tool is that it is simple to run. However, when you launch gpedit.msc
manually, you can only edit policies on the local computer and you cannot change its focus.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize=
4/32
16/11/2014
Figure 23: Using MMC.exe with the Group Policy Object Editor Snap-in
Another way to edit policies is to use the MMC (Microsoft Management Console). After the
MMC starts, you can add the GPOE snap-in to the console. When you add the snap-in, you
will be prompted to edit the policies for either the local computer, or another system on the
network.
The advantages of using the MMC with the Group Policy Object Editor snap-in are:
You can edit policies on remote computers.
On Windows Vista and later computers, you can edit multiple local policies via the MMC
with the Group Policy Object Editor snap-in.
You can save the MMC to an *.msc file to conveniently edit local or remote computer
policies.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize=
5/32
16/11/2014
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize=
6/32
16/11/2014
These tools are very helpful in testing and troubleshooting the policies that are applied to
computers or users.
This section describes the Group Policy Management Console.
Understanding the Group Policy Management Console
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize=
7/32
16/11/2014
Action
Tool
Figure 27: Actions Performed with Group Policy and Tools Used to Carry Them Out
If you think about the number of menus, submenus, property sheets, and dialog boxes in any
of the tools, you realize that working with these fragmented tools in Group Policy can be an
overwhelming task.
The GPMC Solution
The GPMC, released in April 2003 as a separate download (not part of the Windows 2003
Server distribution), lets you perform all the activities, which are listed in Figure 27, from a
single console, gpmc.msc. (Although the GPMC does not actually have GPO editing
capability, you can start the Group Policy console from its user interface.)
Additionally, the Group Policy Management Console provides the ability to:
Back up and restore policy objects
Import settings from one policy object as the basis for creating a new object
View all the links for a specific policy object
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize=
8/32
16/11/2014
9/32
16/11/2014
2.
3.
4.
Select the Remote Server Administration Tools, Feature Administration Tools, Group
Policy Management Tools option.
5.
Click OK.
To enable the GPMC on Windows Server 2008 or later, follow these steps:
1.
2.
Use the Add Roles and Features option to add the Group Policy Management feature.
Installation Requirements
The GPMC requires Windows XP or later to run. The GPMC does not run on:
A Windows 2000 Professional or Windows 2000 Server computer of any kind, even
though the GPMC can administer a Windows 2000 network.
A 64-bit version of Windows XP or Windows Server 2003.
10/32
16/11/2014
Domain member: The computer on which you run GPMC must be a member of either a
domain in the forest that you wish to administer, or a domain that has a trust with that
forest. That is, you cannot run GPMC on a computer that belongs to a workgroup.
Domain controllers: In order to support the signed-and-encrypted LDAP communications
that GPMC uses, GPMC requires that any Windows 2000 Server domain controllers must
run SP2 or higher, and the Windows 2000 Server domain controllers in a separate forest to
which you connect must run SP3 or higher.
For Windows XP: If you want to run the console on Windows XP, you need to fulfill these
additional requirements:
Upgrade Windows XP to SP1.
You must have the Microsoft .NET Framework.
GPMC requires hotfix Q326469 (which updates Gpedit.dll to version 5.1.2600.1186).
The GPMC installer offers to install this for you if you do not already have it.
For Windows Vista and later: If you want to run the console on Windows Vista or later
operating systems to take advantage of all the new Group Policy features, you need to:
Download and install the RSAT Pack for your version of Windows Client.
Use Control Panel, Programs and Features, Turn Windows Features On or Off to enable
the RSAT features that you need, including the GPMC.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
11/32
16/11/2014
In the Server Manager on Windows Server 2012 and Windows 8 Client, click Tools,
Group Policy Management.
Click Start and type gpmc.msc.
Click Start (All Programs, if necessary), Administrative Tools, and Group Policy
Management.
Run mmc.exe and create your own custom console, adding the Group Policy
Management snap-in.
In Windows XP and Windows Server 2003, in Active Directory Users and Computers or
Active Directory Sites and Services, go to the Group Policy tab and click Open.
Note
When the GPMC is installed on Windows XP or Windows Server 2003, the Group Policy tab
of Active Directory Users and Computers (and, for site policies, Active Directory Sites and
Services) is disabled. Instead, you get a dialog box on a Windows XP or Windows Server
2003
computer directing you to the GPMC. In Windows Vista and later there is no Group Policy
tab available in the ADUC tool.
Using the GPMC from the Server Manager
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
12/32
16/11/2014
13/32
16/11/2014
corresponding to the forest that your computer account resides in. The following subnodes will
appear under the forest node:
Domains
Sites
Group Policy Modeling
Group Policy Results
Right-click the Domains node, select Show Domains, and then select the domain or domains
that you wish to view by checking the appropriate boxes. You can show multiple domains in
the console pane at the same time, although their DNS structure will not affect their placement
in the console.
You can connect to a different forest, if desired, by right-clicking the top node (Group Policy
Management) and choosing Add Forest. However, the forest you add must be trusted by the
forest you are already in.
As usual with MMCs, the Action menu mirrors the context menu for each node. The contents
of the details pane change depending on what you select in the console pane. In addition, you
can expand nodes by clicking the plus (+) sign next to them.
Searching and Filtering
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
14/32
16/11/2014
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
15/32
16/11/2014
When you create search criteria, specify a search item, a condition, and a value.
Search Item: This criterion specifies what kind of item you are looking for; for example, a
GPO name, a user configuration setting, or a GPO GUID.
Condition: This criterion is really more correctly referred to as an operator and relates the
search item to the value. Example conditions are Contains, Exist in, Has This Explicit
Permission, Is, Is Not, and so on. The available conditions depend on what you choose
for your search item.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
16/32
16/11/2014
Value: This criterion is the syntactical object of the operator, specifying the precise details
of what you want your search to find. It might be a specific domain or OU name, a
particular kind of policy setting, or a certain security permission.
The list of choices you can select from the Search Item drop-down menu are:
GPO Name: Enables you to specify the exact name, or a substring.
GPO Link: Enables you to specify links that exist, or do not exist, in specific domains or
sites. This setting is useful for finding GPOs with cross-domain links, as well as GPOs with
no links at all.
Security Group: Enables you to specify a search for GPOs where security groups have or
do not have apply, edit, and read permissions, either explicitly or effectively.
Linked WMI Filter: Enables you to specify the name of the filter.
User Configuration: Enables you to specify a search for GPOs where the User
Configuration half of the policy object contains, or does not contain, Folder Redirection,
IE Branding, Registry, Scripts, or Software Installation settings.
Computer Configuration: Enables you to specify a search for GPOs where the Computer
Configuration half of the policy object contains, or does not contain, EFS Recovery, IP
Security, Disk Quota, QoS Packet Scheduler, Registry, Scripts, Security, Software
Installation, or Wireless Group Policy settings.
GPO GUID: Enables you to specify the globally unique identifier for the GPO.
Caution
The search function has a known bug: it can return false positives when settings in the
following categories are made, then later removed:
EFS
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
17/32
16/11/2014
Folder Redirection
IE Maintenance
Security Settings
Software Installation
18/32
16/11/2014
Commented items
Keyword filtering
Requirements filtering
19/32
16/11/2014
may sometimes need to apply policies ahead of the normal refresh interval of 90 to 120
minutes.
Invoke-GPUpdate is a PowerShell version of this tool that provides additional options.
Gpresult.exe
The Group Policy Results tool, or gpresult.exe, is a command-line tool that can display all the
policy settings that are active for a computer or user. You can redirect output from the tool to
a file for later viewing.
Get-GPResultantSetOfPolicy is a PowerShell form of RSOP that can provide results as either
HTML or XML output.
Creating Policies
20/32
16/11/2014
Editing Policies
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
21/32
16/11/2014
Policies
In the Group Policy Management Editor, most of the settings and restrictions that affect
computers and users fall under the Policies section. Within the Policies section are three subsections:
Software Settings: Allows for the deployment of MSI based software packages via Group
Policy.
Windows Settings: Contains settings that relate to security, folder redirection, logon scripts
and more.
Administrative Templates
The Administrative Templates section contains the most widely used settings within Group
Policy.
These settings affect everything from the desktop and start menu, to individual applications.
Administrative Templates settings are often associate with locking down the desktop
environment, but can be used for much more. Settings in the Computer Configuration section
affect the machine as a whole no matter who logs on. The settings in the User Configuration
section affect the user wherever they log on.
Preferences
Group Policy Preferences go beyond the typical capabilities of the settings found under
Policies.
These settings are more granular, and can apply to systems in a more flexible manner.
Preferences are broken down into two sub-sections: Windows Settings and Control Panel
Settings.
Preferences do not lock down the setting, allowing a user to change the value at a later time.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
22/32
16/11/2014
Configuring Values
Some policies will have additional values available if they are enabled. These values could be
checkboxes, radio buttons, text values, or drop-down lists of options.
Once you click OK to accept the change to the value, that setting is immediately available to
the level at which the GPO is linked.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
23/32
16/11/2014
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
24/32
16/11/2014
25/32
16/11/2014
troubleshooting policies, it may sometimes be necessary to apply policies ahead of the normal
refresh interval of 90 to 120 minutes.
Remote GPUpdate in the GPMC
2.
Right-click an OU that has machines that need to be updated, then select the Group
Policy Update option.
3.
Acronyms
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
26/32
16/11/2014
DNS
EFS
GPOE
GUID
IE
IP
Internet Protocol
LDAP
MMC
OU
organizational unit
QoS
Quality of Service
RSAT
RSoP
SP1
Service Pack 1
SP2
Service Pack 2
SP3
Service Pack 3
WMI
Windows Management
Instrumentation
Section Review
Summary
The advantages of using domain policies instead of local policies are:
You can apply policies on a broad basis to large number of computers and users.
This provides a central management capability that is not available when you configure
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
27/32
16/11/2014
policies locally.
Policies that are configured through the domain cannot be overridden by local policy
settings, so they are more secure.
Using the GPMC, you can perform most of the common Group Policy operations without
having to switch between separate windows in separate Active Directory utilities. The
GPMC also offers the following capabilities:
OU hierarchy view
Policy editing
RSoP
Backup and restore of policies
Back up policy objects (and restore them if necessary)
Import settings from one policy object as the basis for creating a new object
View all the links for a specific policy object
The GPMC is included in the RSAT pack for Windows Vista and later. It is also included in
Windows Server 2008 and later, but you must enable it. The GPMC requires Windows XP
or later to run. It also requires the following:
The computer on which you run GPMC must be a member of either a domain in the
forest that you wish to administer, or a domain that has a trust with that forest.
Windows 2000 Server domain controllers must run SP2 or higher.
Windows 2000 Server domain controllers in a separate forest to which you connect must
run SP3 or higher.
For Windows XP, GPMC also requires the following:
o Upgrade Windows XP to SP1
o Microsoft.NET Framework
o Hotfix Q326469 (updates gpedit.dll to version 5.1.2600.1186)
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
28/32
16/11/2014
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
29/32
16/11/2014
Knowledge Check
1.
What are the advantages of using domain policies instead of local policies? (Choose all
that apply.)
a.
b.
c.
d.
They are helpful in a workgroup scenario when you cannot use local-based policies.
2.
3.
4.
5.
In which ways can you limit the display of Administrative Templates? (Choose all that
apply.)
6.
a.
Managed items
b.
Deleted items
c.
Commented items
d.
Keyword filtering
Describe each tool, feature, or policy used to manage group policies in the space
provided.
Group Policy Management Editor:
Gpupdate.exe:
Folder redirection:
User Configuration and Computer Configuration sections of Group Policy:
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
30/32
16/11/2014
What are the advantages of using domain policies instead of local policies? (Choose all
that apply.)
2.
a.
b.
c.
d.
They are helpful in a workgroup scenario when you cannot use local-based policies.
3.
4.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
31/32
16/11/2014
5.
In which ways can you limit the display of Administrative Templates? (Choose all that
apply.)
6.
a.
Managed items
b.
Deleted items
c.
Commented items
d.
Keyword filtering
Describe each tool, feature, or policy used to manage group policies in the space
provided.
Group Policy Management Editor: Is used to view and modify all of the policy settings
within a GPO.
Gpupdate.exe: Is used to remotely update GPOs.
Folder redirection: A process that stores the users personal My Documents files on a
server instead of locally.
User Configuration and Computer Configuration sections of Group Policy:
User configuration settings apply only to the computer objects that are within the
scope of the policy.
Computer configuration settings apply only to the user objects that are within the
scope of the policy.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=3&FontSize
32/32