IDENTIFYING THE ROLE OF A

GROUP POLICY

Lesson 7:
1

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon
The role of a Group Policy begins when a computer
starts up or when a user logs on
During startup and logon, both Computer
Configuration and User Configuration settings are
applied in a specific sequence

(Skill 3)

Figure The sequence in which

Computer Configuration and User
Configuration settings are applied

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (2)
Every computer has one GPO that is stored locally
This local Group Policy Object (LPGO) is applied first

The processing sequence becomes very important

when dealing with multiple policies
If there are no conflicts between the policies, all settings
from all of the policies apply
However, if a conflict occurs the policy to apply last wins

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (3)
Sequence in which Group Policy settings are
processed

Local GPO

Site GPOs

Domain GPOs

OU GPOs (LSDOU)

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (4)
If more than one GPO is linked

The policies are processed in reverse order for each

individual container

This is done so that the policy that is considered to be

the most important is displayed at the top of the list of
all GPOs applied to a particular container

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (5)
Like files and folders, Group Policies are also
inherited from parent containers to child containers
You can specifically set a separate Group Policy
setting for a child container to override the settings
it inherits from its parent container
It is extremely important to note that like OU
structures, Group Policies do not flow between
domains

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (6)
Group Policy applied to a parent domain

Does not apply to its child domain or domains

The only container that can apply Group Policies to

multiple domains is the site container

Group Policy applied to a site

Affects all users and computers in the site, regardless of

domain

For this reason, you must be an Enterprise Admin in

order to apply a Group Policy to a site

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (7)
Exceptions to the order in which GPOs are
processed

If a computer belongs to a workgroup, it processes

only local GPOs

You can modify the default behavior using the Block

Inheritance option, but this can make GPO
administration more complicated and it should be
used sparingly

You can block inheritance for GPO links for an entire

domain, for all domain controllers, or for an OU

(Skill 3)

Figure Blocking Inheritance for the GPO links for all domain controllers

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (8)
Exceptions to the order in which GPOs are
processed

The default order for processing Group policy settings

is also affected when you set the GPO link to Enforced

Policy settings in the GPO link take precedence over child

object settings

Gives the parent GPO link precedence so that the default

behavior does not apply (formerly called the No Override
option)

GPO administration is more complex

GPOs cannot have their inheritance blocked

(Skill 3)

Figure The Enforced setting

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (9)
Exceptions to the order in which GPOs are
processed

If Block Inheritance option is set for a domain or OU

The GPOs above that point in the structure do not affect

users or computers in that structure; they are blocked

If there is a conflict between Enforced and Block Inheritance,

Enforced always wins

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (10)
Exceptions to the order in which GPOs are
processed

You can disable a GPO link to block that GPO from

being applied for the selected site, domain, or OU

Disables the GPO only for the selected container object; it does not
disable the GPO itself

If the GPO is linked to other sites, domains, or OUs, they continue to

process the GPO as long as their links are enabled

Processing is enabled for all GPO links by default

To disable a GPO link, right-click it and select the Link Enabled

command (a check mark indicates it is enabled)

(Skill 3)

Figure The Link Enabled command

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (11)
Exceptions to the order in which GPOs are processed

When GPOs are linked to the same container, policies

are evaluated based on the link order set on the Linked
Group Policy Objects tab for the container object

The policy settings in the GPO with the lowest link order (Link
Order 1) are processed last

Link Order 1 has the highest precedence and is used to settle a

conflict

Use the arrow buttons to change the link order

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (12)
Exceptions to the order in which GPOs are processed

Group Policies are never applied to Windows NT, 95, 98,

or Windows Me computers

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (13)
User Group Policy loopback processing mode

This policy is referred to as the loopback feature

Enforced when both the user account and the

computer account are members of a Windows 2000
or later domain

You can configure loopback so that the User

Configuration settings in GPOs are applied to every
user logging on to that computer

(Skill 3)

Figure The User Group Policy loopback processing mode policy

(Skill 3)

Identifying the Role of a Group Policy

at Startup and Logon (14)
User Group Policy loopback processing mode

In Merge mode, the Computer Configuration GPO settings are

appended to the default list of GPOs

In Replace mode, the User Configuration GPO settings are

completely replaced by the Computer Configuration GPO settings

(Skill 3)

Figure Merge or Replace mode

(Skill 4)

Planning a Group Policy Implementation

After you decide on a Group Policy setting design,
you devise a Group Policy implementation strategy
Factors to consider

Location of GPOs

Delegation of authority

Organization structure

(Skill 4)

Planning a Group Policy Implementation (2)

Types of Group Policy implementation strategies

Centralized GPO design

An organizations network is maintained by a small number

of large GPOs

Decentralized GPO design

Uses separate GPOs for specific policy settings

(Skill 4)

Planning a Group Policy Implementation (3)

Types of Group Policy implementation strategies

Functional Role (or Team Design)

Functional roles of users are considered to apply Group

Policies

Steps to implement this strategy

Create an OU structure that corresponds to the actual team

structure of your organization

Create a customized GPO for each OU that is tailored to the

needs of the OU

(Skill 4)

Planning a Group Policy Implementation (4)

Types of Group Policy implementation strategies

Delegation with Central Control Design or Distributed

Control Design

Based on delegating administrative control over OUs to

various administrators in an organization

When you implement this strategy, you maintain centralized

control while distributing managerial control to a number of
OU administrators

(Skill 4)

Planning a Group Policy Implementation (5)

Regardless of which approach (or combination) you
choose, it is important to try to avoid using certain
tools and options

Enforced and Block Inheritance options

Filtering

Troubleshooting GPOs can be very difficult when

these tools are used

(Skill 5)

Creating a Group Policy Object

When you install Active Directory on your network,
two GPOs are created automatically

Default Domain Policy, which is linked to the domain

Default Domain Controllers Policy, which is linked to the

Domain Controllers OU

You can use these policies to assign standard settings

to the domain and the domain controllers in a
domain, respectively

(Skill 5)

Creating a Group Policy Object (2)

GPOs can be linked to sites, domains, and OUs

To link a GPO to a site, use the Active Directory Sites

and Services console or the GPMC

To link GPOs to domains and OUs, use either the Active

Directory Users and Computers console or the GPMC

(Skill 5)

Creating a Group Policy Object (3)

You can create a stand-alone GPO console for a
GPO and access it directly from the All
Programs/Administrative Tools menu
Steps to create a GPO console
1. Open Add Standalone Snap-in dialog box from an
MMC console
2. Select Group Policy Object Editor from the list of
available snap-ins

(Skill 5)

Creating a Group Policy Object (4)

Steps to create a GPO console
3. Click the Browse button in the Group Policy Wizard
4. In the Browse for a Group Policy Object dialog box,
select the GPO for which you want to create a console
The selected GPO name is added to the Group Policy
Object text box on the Select Group Policy Object
screen in the wizard
3. From the File menu, save the console for the GPO to
make it available on the All Programs/Administrative
Tools menu

(Skill 5)

Figure Creating a GPO

(Skill 5)

Figure The New GPO dialog box

(Skill 5)

Figure New Group Policy Object in a domain

(Skill 6)

Delegating Control for a Group Policy Object

Assign permissions to delegate administrative
control over a GPO on the Delegation tab in the
GPMC

There are three standard permissions you can assign

to a GPO

However, five permission levels display on the

Delegation tab

Each of these permission levels represents a

combination of Active Directory permissions

(Skill 6)

Delegating Control for a Group Policy Object (2)

To delegate permissions for a GPO, you must have
the Edit settings, delete, and modify security
permission for the GPO
To view the permissions for groups with custom
permissions or to set custom permissions, click the
Advanced button to open the ACL Editor for the
GPO (<GPO_name> Security Settings dialog box)

(Skill 6)

Delegating Control for a Group Policy Object (3)

You must assign the Edit settings, delete, and
modify security permission to at least one group or
user for each GPO
If there is only one user or group with this
permission level, you cannot remove this user or
group
Permissions inherited from parent containers
cannot be removed

(Skill 6)

Delegating Control for a Group Policy Object (4)

To change the permissions assigned to a user or
group

Right-click the user or group in the Groups and

users box

Select from the three standard permissions on the

context menu

You can also use the Remove command to

remove a user or group from the Groups and
users box

(Skill 6)

Figure Setting GPO permissions

(Skill 6)

Figure The Delegation tab in the GPMC

Thankyou

Q & A
For My Slides and Handouts

http://zeeshanacademy.blogspot.com/
https://www.facebook.com/drzeeshanacademy

https://sites.google.com/site/drzeeshanacademy/