Training Guide Administering Windows Server 2012 R2 (2014)
Chapter 5. Managing Group Policy application and infrastructure
There is far more to managing Group Policy than knowing the location of specific policy items. After your environment has more than a couple of Group Policy Objects (GPOs), you have to start thinking about issues such as how they apply, who can edit them, what to do if substantive changes in policy need to be rolled back, and how you can track changes in Group Policy over time. In this chapter, you’ll learn how to back up, restore, import, and export GPOs. You’ll learn how to delegate the process of editing and applying GPOs, and how to resolve configuration problems related to the application of Group Policy.
Lessons in this chapter:
Lesson 1: Maintaining Group Policy Object
Lesson 2: Managing the application of Group Policy
Before you begin
To complete the practice exercises in this chapter:
You need to have deployed computers SYD-DC, MEL-DC, and ADL-DC, as described in the Introduction, using the evaluation edition of Windows Server 2012 R2.
Lesson 1: Maintaining Group Policy Object
As an experienced systems administrator pursuing certification, you have a reasonable idea of how to use Group Policy. The administration of Group Policy doesn’t just occur at the level of configuring individual policies. In large organizations with many policies, it’s necessary to have a maintenance strategy. Ensuring that important Group Policy Objects (GPOs) are backed up and recoverable is as important as backing up and recovering other critical services such as DNS and Dynamic Host Configuration Protocol (DHCP). In this lesson, you’ll learn how to back up, restore, import, and copy GPOs. You’ll also learn how to delegate the management of GPOs.
After this lesson, you will be able to:
Back up, import, copy, and restore GPOs.
Migrate GPOs between domains and forests.
Delegate GPO management.
Estimated lesson time: 45 minutes
Managing Group Policy Objects
As an experienced systems administrator, you are aware that GPOs enable you to configure settings for multiple users and computers. After you get beyond editing GPOs to configure settings, you need to start thinking about issues such as GPO maintenance. For example, if an important document is lost, you need to know how to recover it from backup. Do you know what to do if someone accidentally deletes a GPO that has hundreds of settings configured over a long period of time?
The main tool you’ll use for managing GPOs is the Group Policy Management Console (GPMC), shown in Figure 5-1. You can use this console to back up, restore, import, copy, and migrate. You can also use this console to delegate GPO management tasks.
FIGURE 5-1 GPMC
There are also a substantial number of cmdlets available in the Windows PowerShell Group Policy module, including the following:
Get-GPO Enables you to view GPOs. The output of this cmdlet is shown in Figure 5-2.
FIGURE 5-2 Output of the Get-GPO cmdlet
Backup-GPO Enables you to back up GPOs.
Import-GPO Enables you to import a backed-up GPO into a specified GPO.
New-GPO Enables you to create a new GPO.
Copy-GPO Enables you to copy a GPO.
Rename-GPO Enables you to change a GPO’s name.
Restore-GPO Enables you to restore a backed-up GPO to its original location.
Remove-GPO Enables you to remove a GPO.
Backing up a GPO enables you to create a copy of a GPO as it exists at a specific point in time. A user must have read permission on a GPO to back it up. When you back up a GPO, the backup version of the GPO is incremented. It is good practice to back up GPOs prior to editing them so that if something goes wrong, you can revert to the unmodified GPO.
Real World: Backing up GPOs
If your organization doesn’t have access to the Microsoft Desktop Optimization Pack (MDOP), you should back up GPOs before you or other people modify them. If a problem occurs, it’s quicker to restore a backup than it is to reconfigure the modified GPO with the existing settings. MDOP provides the ability to use GPO versioning as well as other advanced functionality.
To back up a GPO, perform the following steps:
1. Open the GPMC.
2. Right-click the GPO that you want to back up, and click Back Up. In the Back Up Group Policy Object dialog box, shown in Figure 5-3, enter the location of the backup and a description for the backup.
FIGURE 5-3 Backing up a GPO
You can restore a GPO using the Restore-GPO cmdlet. Restoring a GPO overwrites the current version of the GPO if one exists or re-creates the GPO if the GPO has been deleted. To restore a GPO, right-click the Group Policy Objects node in the GPMC, and click Manage Backups. In the Manage Backups dialog box, shown in Figure 5-4, select the GPO that you want to restore and click Restore. If multiple backups of the same GPO exist, you can select which version of a GPO to restore.
FIGURE 5-4 Restoring a GPO from backup
Import and copy GPOs
Importing a GPO enables you to take the settings in a backed-up GPO and import them into an existing GPO. To import a GPO, perform the following steps:
1. Right-click an existing GPO in the GPMC and click Import Settings.
2. In the Import Settings Wizard, you are given the option of backing up the destination GPO’s settings. This enables you to roll back the import.
3. Specify the folder that hosts the backed-up GPO.
4. On the Source GPO page of the Import Settings Wizard, shown in Figure 5-5, select the source GPO. You can view the settings that have been configured in the source GPO prior to importing it. Complete the wizard to finish importing the settings.
FIGURE 5-5 Importing GPO settings
Remember that when you import settings from a backed-up GPO, the settings in the backed-up GPO overwrite the settings in the destination GPO.
Copying a GPO creates a new GPO and copies all configuration settings from the original to the new. You can copy GPOs from one domain to another. You can also use a migration table when copying a GPO to map security principals referenced in the source domain to security principals referenced in the destination domain.
To copy a GPO, perform the following steps:
1. Right-click the GPO that you want to copy and click Copy.
2. Right-click the location that you want to copy the GPO to and click Paste.
3. In the Copy GPO dialog box, choose between using the default permissions and preserving the existing permissions assigned to the GPO (see Figure 5-6).
FIGURE 5-6 Copying a GPO
Fixing GPO problems
Windows Server 2012 and Windows Server 2012 R2 include command line utilities that allow you to repair GPO after you perform a domain rename or recreate default GPOs. If you need to recreate the default GPOs for a domain, use the DCGPOFix.exe command. If you perform a domain rename, you can use the GPFixup.exe command to repair name dependencies in GPOs and Group Policy links.
Migrate Group Policy Objects
When moving GPOs between domains or forests, you need to ensure that any domain-specific information is accounted for, so locations and security principals in the source domain aren’t used in the destination domain. You can account for these locations and security principals using migration tables. You use migration tables when copying or importing GPOs.
Migration tables enable you to alter references when moving a GPO from one domain to another, or from one forest to another. An example is when you are using GPOs for software deployment and need to replace the address of a shared folder that hosts a software installation file so that it is relevant to the target domain. You can open the Migration Table Editor (MTE), shown in Figure 5-7, by right-clicking Domains in the GPMC, and clicking Open Migration Table Editor.
FIGURE 5-7 Opening the MTE
When you use the MTE, you can choose to populate from a GPO that is in the current domain, or choose to populate the MTE from a backed-up GPO. When you perform this action, the MTE will be populated with settings that reference local objects. If, when you perform this action, there are no results, then no local locations are referenced in the GPO that you are going to migrate.
More Info: Working with migration tables
You can learn more about working with migration tables at http://technet.microsoft.com/en-us/library/cc754682.aspx.
Delegate GPO management
In larger environments, there is more than one person in the IT department. In very large organizations, one person’s entire job responsibility might be creating and editing GPOs. Delegation enables you to grant the permission to perform specific tasks to a specific user or group of users. You can delegate some or all of the following Group Policy management tasks:
GPO creation
GPO modification
GPO linking to specific sites, organizational units (OUs), or domains
Permission to perform Group Policy Modeling analysis at the OU or domain level
Permission to view
Group Policy Results information at the OU, or domain level
Windows Management Instrumentation (WMI) filter creation
Users in the Domain Admins and Enterprise Admins groups can perform all Group Policy management tasks. Users that are members of the Group Policy Creator Owners domain group can create GPOs. They also have the right to edit and delete any GPOs that they have created.
You can delegate permissions to GPOs directly using the GPMC, as shown in Figure 5-8.
FIGURE 5-8 Group Policy permissions
Creating GPOs
If you want to delegate the ability for users to create GPOs, you can add them to the Group Policy Creator Owners group. You can also explicitly grant them permission to create GPOs using the GPMC. To do this, perform the following steps:
1. Open the GPMC from the Tools menu of Server Manager.
2. Expand the domain in which you want to delegate the ability to create GPOs, click Group Policy Objects, and click the Delegation tab.
3. Click Add and select the group or user that you want to give the ability to create GPOs in that domain.
Quick check
What group should you add users to if you want to enable them to create GPOs in the domain, but not add them to the Domain Admins or Enterprise Admins groups?
Quick check answer
Add them to the Group Policy Creator Owner group.
Editing GPOs
To edit a GPO, users must be either a member of the Domain Admins or Enterprise Admins group. They can edit a GPO if they created it. They can also edit a GPO if they have been given Read/Write permissions on the GPO through the GPMC.
To grant a user permission to edit a GPO, perform the following steps:
1. Click the GPO in the GPMC.
2. Click the Delegation tab, as shown in Figure 5-9.
FIGURE 5-9 Delegating permissions
3. Click Add, specify the user or group that should have permission to edit the GPO, and then specify the permissions that you want to give this user or group. You can choose from one of the following permissions:
Read
Edit Settings
Edit Settings, Delete, Modify Security
Linking GPOs
To enable a user to link a GPO to a specific object, you need to edit the permission on that object. You can perform this task in the GPMC, as shown in Figure 5-10. For example, to grant a user or group permission to link a GPO to an OU, select the OU in the GPMC, select the Delegation tab, click Add, and then select the user or group to which you want to grant this permission.
FIGURE 5-10 Delegating link GPO permission
Modeling, results, and WMI filters
Delegating permissions to perform tasks related to Group Policy Modeling and Group Policy Results is performed at the domain level, as shown in Figure 5-11. You can delegate the ability to create WMI filters by selecting the WMI Filters node in the GPMC and granting the permission on the Delegation tab.
FIGURE 5-11 Delegating Group Policy Modeling and Group Policy Results permissions
Lesson summary
Each time you back up a GPO, it creates a copy of that GPO at a particular point in time.
Restoring a GPO overwrites the existing GPO if it still exists, or recovers it if it has been deleted.
Importing a GPO overwrites the settings in the destination GPO with the settings from the imported GPO.
Copying a GPO creates a duplicate of the GPO.
You use migration tables when moving GPOs between domains and forests to account for local references in the source domain.
You can delegate the permission to create, edit, and link using the GPMC. Non-administrative users can then perform some Group Policy tasks, such as editing policies, without giving them unnecessary privileges.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. You have 200 individual GPO settings in a backed-up GPO named Melbourne-2012 that you want to include in an existing GPO named Sydney-2013. Which of the following Windows PowerShell cmdlets should you use to accomplish this goal?
A. Backup-GPO
B. Import-GPO
C. Restore-GPO
D. Copy-GPO
2. Prior to editing a Group Policy, your assistant makes a backup of the GPO that she is going to edit. Unfortunately, she makes a mistake in configuring the GPO. You need to revert the GPO to the state it was in prior to your assistant’s edits. Which of the following Windows PowerShell cmdlets should you use to accomplish this goal?
A. Copy-GPO
B. Restore-GPO
C. Import-GPO
D. Backup-GPO
3. You want to copy a GPO from one domain to another in a forest. Which tool should you use to ensure that references to objects in the source domain updated are relevant to the destination domain? (Choose all that apply.)
A. Active Directory Sites and Services
B. Active Directory Users and Computers
C. Migration Table Editor
D. Group Policy Management Editor
4. Which of the following security groups have the right to create GPOs by default? (Choose all that apply.)
A. Group Policy Creator Owners
B. Enterprise Admins
C. Domain Admins
D. Domain Controllers
5. You are about to make substantial modifications to the default domain GPO. You want to ensure that you can return to the current state of the GPO if the modifications cause problems. Which of the following Windows PowerShell cmdlets should you use?
A. Copy-GPO
B. Restore-GPO
C. Import-GPO
D. Backup-GPO
Lesson 2: Managing Group Policy application
For environments in which you need to apply more than one Group Policy, understanding the rules of precedence is critical. Not only do you need to understand that where you apply a Group Policy determines its overall influence but also that GPOs may or may not apply due to inheritance blocks, security filtering, or loopback processing. In this lesson, you’ll learn the rules on Group Policy application and how to determine which Group Policy settings have precedence in complex environments.
After this lesson, you will be able to:
Determine policy processing order and precedence.
Configure policy enforcement and blocking.
Perform Group Policy security filtering.
Configure WMI filtering.
Enable loopback processing.
Configure slow-link processing.
Estimated lesson time: 45 minutes
Policy processing precedence
In organizations with large Group Policy deployments, multiple GPOs might apply to a single user account or computer account; or when a user is signed on to a specific computer, to both. Group Policy processing precedence is the set of rules that determines which Group Policy items apply when multiple GPOs are configured.
Group Policies are processed in the following manner:
Local Settings configured at the local level apply first. If multiple local policies apply, settings in machine policies apply first, settings in admin and nonadmin local policies override them, and settings in per-user policies override any configured at the machine and admin/nonadmin level.
Site Policies based on location apply next. Any settings configured at the site level override settings configured at the local level. You can link multiple GPOs at the site level. When you do this, policies with a lower numerical link order override policies with a higher numerical link order. For example in Figure 5-12, settings in the Melbourne-Computer policy override settings configured in the Melbourne-User policy.
FIGURE 5-12 GPO link order
Domain Settings applied at the domain level override settings applied at the site and local levels. You can link multiple GPOs at the domain level. The Default Domain Policy is linked at this level.
Organizational unit (OU) Settings applied at the organizational unit level override settings applied at the domain, site, and local levels. When an account is a member of a child OU, policies applied at the child OU level override policies applied at the parent OU level. You can apply multiple GPOs at the OU level. Policies with a lower numerical link order override policies with a higher numerical link order.
Group Policy processing precedence is relevant only when there are conflicts in policies. If policy A applies at the domain level, and policy B applies at the OU level, both policy A and policy B apply.
Policy enforcement and blocking
When configuring a Group Policy, you can choose to enforce that policy. To enforce a Group Policy, right-click that policy at the location in which you link the policy and then click Enforced. When you choose to enforce a policy, that policy will apply and override settings configured at other levels. For example, normally a policy linked at the OU level would override a policy linked at the domain level. If you configure the policy at the domain level as Enforced, it instead overrides the policy linked at the OU level.
The Block Inheritance function enables you to block policies applied at earlier levels. For example, you can use Block Inheritance at the OU level to block policies applied at the domain and site level. Block Inheritance does not stop the application of policies configured as Enforced. For example, Figure 5-13 shows the Research OU configured with the Block Inheritance setting. The Melbourne-Computer policy, applied at the domain level as Enforced, still applies because a setting of Enforced overrides a setting of Block Inheritance.
FIGURE 5-13 Override versus Enforced
Group Policy security filtering
Security filtering enables you to configure permissions on GPOs. By default, Group Policies apply to the Authenticated Users group. By changing the default permissions, you can make the Group Policy apply only to a specific group. For example, if you remove the Authenticated Users group and add another security group such as the Melbourne-Users group (shown in Figure 5-14), the Group Policy applies to only that configured security group.
FIGURE 5-14 Security filtering
When considering whether to use security filtering, keep the following in mind:
A security filter applies to the GPO, so it applies wherever the GPO is linked. You can’t have one security filter apply to the GPO when linked at the domain level, and another security filter apply to the GPO when linked at the OU level.
Filtered policies still need to be checked during the Group Policy processing process, which can increase the amount of time spent on Group Policy processing. Startup and logon times may increase.
It is also possible to apply a Deny permission on the basis of security account or group. Deny permissions override Allow permissions. You block a particular security group from receiving a Group Policy by setting the Apply Group Policy (Deny) advanced permission, as shown for the Sydney-Users group for the Melbourne-General GPO in Figure 5-15. You can do this on the Delegation tab of a GPO’s properties instead of the Scope tab.
FIGURE 5-15 Security filtering
Quick check
How would you block a GPO from applying to members of a particular security group?
Quick check answer
Configure an Apply Group Policy (Deny) advanced permission on the Delegation tab of a GPO’s properties.
Group Policy WMI filtering
WMI filtering enables you to filter the application of policy based on the results of a WMI query. For example, you might write a WMI query to determine whether a computer has an x86 or x64 processor, or whether there is more than a certain amount of disk space available. WMI queries are often used with policies related to software deployment to determine whether the target computer has the appropriate system resources to support the installation of the application.
The drawback of WMI queries is that they are complicated for systems administrators who are unfamiliar with programming beyond simple scripting. WMI queries also cause significant delays in Group Policy processing. In environments in which sophisticated logic needs to be applied to targeted application distribution, products such as Microsoft System Center 2012 Configuration Manager are more appropriate. System Center 2012 Configuration Manager enables administrators performing software deployment to configure ways of checking hardware configuration prior to software deployment that do not require writing queries in WMI Query Language (WQL).
You can create WMI filters by using the New WMI Filter dialog box (shown in Figure 5-16).
FIGURE 5-16 Creating a WMI filter
More Info: WMI queries
You can learn more about WMI queries at http://msdn.microsoft.com/en-us/library/ms186146(VS.80).aspx.
Loopback processing
As you are aware, each GPO has two distinct sections: Computer Configuration and User Configuration (see Figure 5-17). The resultant policies for a user are based on the cumulative user configuration settings in GPOs that apply to the user’s accounts at the site, domain, and OU setting. The resultant computer policies are applied based on the cumulative computer configuration settings in GPOs that apply to the computer’s account at the site, domain, and OU level.
FIGURE 5-17 GPO structure
In some situations, you’ll want only the GPOs that apply to the computer account to apply. You might want to do this with conference room computers, for which you want people to be able to sign on with domain accounts but to have a very controlled configuration. When you enableloopback processing, user settings are determined based on the settings in the User Configuration settings area of GPOs that apply to the computer account.
There are two types of loopback processing that you can configure by setting the Group Policy loopback processing mode policy, shown in Figure 5-18, and located under Computer Configuration\Administrative Templates\System\Group Policy: Replace And Merge.
Replace When you configure Replace, only the GPOs that apply to the computer account will apply. Settings in the User Configuration area of the GPOs that apply to the computer account will apply.
Merge The settings in the User Configuration area of GPOs that apply to the user account will still apply, but will be overridden by settings in the User Configuration area of GPOs that apply to the computer account.
FIGURE 5-18 Loopback processing policy
Slow-link processing enables you to configure Group Policy application to be performed in a different manner, depending on the speed of the connection from the client to the domain controller. It enables you to block activities such as software deployment when the connection between Active Directory and the client is detected as falling below a particular threshold. You configure slow link detection by configuring the Group Policy slow link detection policy, as shown in Figure 5-19. This policy is located under Computer Configuration\Administrative Templates\System\Group Policy. When a slow link is detected, registry settings from administrative templates, security policies, EFS recovery policy, and IPsec policies are applied. Policies related to application deployment, scripts, folder redirection, and disk quotas will not be applied.
FIGURE 5-19 Slow link detection
Group Policy caching
Group Policy caching reduces the amount of time taken to process Group Policy during computer startup and user sign on. Rather than retrieve the Group Policies that apply to the computer from a domain controller when a computer starts up or a user signs on, the client will use a cached copy of the last Group Policies downloaded from the domain controller. After this initial application of the cached policies during startup and user sign on, policies will be retrieved and applied normally from a domain controller. You enable Group Policy caching by configuring the Configure Group Policy Caching policy as shown in Figure 5-20. This policy is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy. Group Policy caching applies only to computers running Windows Server 2012 R2, Windows 8.1, or Windows RT 8.1.
FIGURE 5-20 Configure Group Policy caching
More Info: Group policy caching
You can learn more about Group Policy caching by reading this blog post by Group Policy MVP Darren Mar-Elia at http://sdmsoftware.com/group-policy-blog/group-policy/understanding-group-policy-caching-in-windows-8-1/.
Force Group Policy update
Windows Server 2012 and later support remote Group Policy update. Remote Group Policy update allows you to force a remote computer to perform a Group Policy update without having to sign on to the computer and run the GPUpdate.exe command. Remote Group Policy update will work on clients running the Windows Vista and later operating system. Remote Group Policy requires the following firewall rules be enabled on clients:
Remote Scheduled Tasks Management (RPC)
Remote Scheduled Tasks Management (RPC-EPMAP)
Windows Management Instrumentation (WMI-In)
You can run remote Group Policy update from the Group Policy Management Console by right-clicking on a container or OU. An update will run on all computers within the container or OU as well as on any computer accounts stored within child OUs. Figure 5-21 shows the result of running remote Group Policy update on the Domain Controllers container. You can also use the Invoke-GPUpdate Windows PowerShell cmdlet to trigger a remote Group Policy update. The advantage of the Windows PowerShell cmdlet is that you can target a specific computer rather than all computer accounts in an OU.
FIGURE 5-21 Remote Group Policy update
More Info: Using remote GPUpdate
You can learn more about remote Group Policy update at https://blogs.technet.com/b/grouppolicy/archive/2012/11/27/group-policy-in-windows-server-2012-using-remote-gpupdate.aspx.
Lesson summary
Group Policies are processed in the following order: local, site, domain, and OU. Policies processed later override policies processed earlier.
When there are parent and child OUs, and the user or computer account is a member of the child OU, the policy applied at the child OU overrides policies applied at the parent OU.
Policy processing order is important only when policies conflict.
A policy with the Override setting will override other policies in the processing order, including when Block Inheritance has been configured.
Security filtering applies on a GPO, no matter where it is linked.
Loopback processing enables GPO settings applied to the computer account to override GPO settings applied to the user account.
Slow-link processing enables you to configure policies not to be processed when low bandwidth connections to Active Directory are detected.
Group Policy caching allows cached copies of GPOs that apply to users and computers to be applied at startup and sign on.
Remote Group Policy update allows you to force a Group Policy update on a remote client. Remote Group Policy update requires that 3 firewall rules be configured on clients.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. You want to ensure that a Group Policy applies only to computers that have more than 2 gigabytes (GB) of disk space. Which of the following should you configure to accomplish this goal?
A. Security filtering
B. WMI filtering
C. Loopback processing
D. Slow-link processing
2. A Group Policy named Alpha applies at the site level. A Group Policy named Beta is assigned link order 2 at the domain level. A Group Policy named Gamma is assigned link order 1 at the domain level. A Group Policy named Delta is assigned to the Research OU. A computer account is located in the Research OU. If the same setting is configured differently in the Alpha, Beta, Gamma, and Delta GPOs, which GPO’s version of this setting will apply to the computer?
A. Alpha
B. Beta
C. Gamma
D. Delta
3. A Group Policy named Alpha applies at the site level. A Group Policy named Beta is assigned link order 2 at the domain level. A Group Policy named Gamma is assigned link order 1 at the domain level. A Group Policy named Delta is assigned to the Research OU. A computer account is located in the Research OU. GPO Gamma is configured with the No Override setting. If the same setting is configured differently in the Alpha, Beta, Gamma, and Delta GPOs, which GPO’s version of this setting will apply to the computer?
A. Alpha
B. Beta
C. Gamma
D. Delta
4. A Group Policy named Alpha applies at the site level. A Group Policy named Beta is assigned link order 2 at the domain level. A Group Policy named Gamma is assigned link order 1 at the domain level. A Group Policy named Delta is assigned to the Research OU. A computer account is located in the Research OU. GPO Beta is configured with the No Override setting. OU Research is configured with the Block Inheritance setting. If the same setting is configured differently in GPOs Alpha, Beta, Gamma, and Delta, which GPO’s version of this setting will apply to the computer?
A. Alpha
B. Beta
C. Gamma
D. Delta
5. You have a policy applied at the domain level that you don’t want applied to five computers in your organization. Which of the following should you configure to accomplish this goal?
A. Security filtering
B. WMI filtering
C. Loopback processing
D. Slow-link processing
Practice exercises
The goal of this section is to provide you with hands-on practice with the following:
Creating, backing up, and restoring GPOs
Delegating GPO permissions
Enabling loopback processing
Configuring blocking and enforcement
Configuring GPO security filtering
To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012 R2. You should also have access to virtual machines SYD-DC, MEL-DC, CBR-DC, and ADL-DC, the setup instructions for which are described in the Introduction. You should ensure that you have a checkpoint of these virtual machines that you can revert to at the end of the practice exercises. You should revert the virtual machines to this initial state prior to beginning these exercises.
Exercise 1: Prepare GPOs, security groups, and OUs
In this exercise, you prepare GPOs. To complete this exercise, perform the following steps:
1. Sign in to SYD-DC with the Contoso\Administrator account.
2. In Server Manager, click the Tools menu, and click Group Policy Management.
3. Expand the Forest: Contoso.com\Domains\Contoso.com node and click Group Policy Objects, as shown in Figure 5-22.
FIGURE 5-22 Clicking Group Policy Objects
4. On the Action menu, click New.
5. In the New GPO dialog box, type Melbourne, as shown in Figure 5-23, and click OK.
FIGURE 5-23 New GPO dialog box
6. Repeat steps 4 and 5 to create new GPOs named Sydney and Adelaide.
7. Verify that there are five GPOs listed, as shown in Figure 5-24.
FIGURE 5-24 Three new GPOs
8. In Server Manager, click Active Directory Administrative Center.
9. In Active Directory Administrative Center, click Contoso (Local), and then click Users, as shown in Figure 5-25.
FIGURE 5-25 Users container
10. In the Tasks pane, click New, and click Group.
11. In the Create Group dialog box, type the group name Melbourne_GPO_Editors; click Security, Global, and Protect From Accidental Deletion, as shown in Figure 5-26; then click OK.
FIGURE 5-26 Creating a security group
12. Repeat steps 10 and 11 to create the Adelaide_Computers security group.
13. In the Active Directory Administrative Center, in the Tasks pane, under Contoso (Local), click New, and then click Organizational Unit.
14. In the Create Organizational Unit dialog box, type the name Melbourne_Computers, as shown in Figure 5-27, and click OK.
FIGURE 5-27 Create Organizational Unit dialog box
15. Close the Active Directory Administrative Center.
16. On the taskbar, click File Manager.
17. In File Manager, click Computer, and then double-click Local Disk (C:).
18. On the title bar of the Local Disk (C:) window, click the New Folder icon.
19. Name the new folder GPO_Backup.
20. Close the Local Disk (C:) window.
Exercise 2: Manage GPOs
In this exercise, you perform several Group Policy management-related tasks. To complete this exercise, perform the following steps:
1. In the GPMC, click the Melbourne GPO.
2. When the Melbourne GPO is selected, click the Delegation tab, as shown in Figure 5-28.
FIGURE 5-28 OU Delegation tab
3. On the Delegation tab, click Add.
4. In the Select User, Computer, Or Group dialog box, type Melbourne_GPO_Editors, click Check Names, and click OK.
5. In the Add Group Or User dialog box, use the drop-down menu to select Edit Settings, Delete, Modify Security, as shown in Figure 5-29, and click OK.
FIGURE 5-29 OU Delegation tab
6. In the GPMC, click the Sydney GPO.
7. On the Action menu, click Back Up.
8. In the Back Up Group Policy Object dialog box, type C:\GPO_Backup as the location, as shown in Figure 5-30, and click Back Up.
FIGURE 5-30 Back Up Group Policy Object dialog box
9. In the Backup dialog box, click OK.
10. In the GPMC, click the Sydney GPO.
11. On the Action menu, click Delete.
12. In the Group Policy Management dialog box, click Yes.
13. Verify that the Sydney GPO is no longer listed under Group Policy Objects, as shown in Figure 5-31.
FIGURE 5-31 Verify deleted GPO
14. Click Group Policy Objects. On the Action menu, click Manage Backups.
15. In the Manage Backups dialog box, click the Sydney GPO, as shown in Figure 5-32, and click Restore.
FIGURE 5-32 Manage Backups dialog box
16. In the Group Policy Management dialog box, click OK.
17. In the Restore dialog box, click OK.
18. In the Manage Backups dialog box, click Close.
19. Verify the presence of the Sydney GPO in the list of Group Policy Objects.
Exercise 3: Manage Group Policy processing
In this exercise, you perform Group Policy management tasks related to Group Policy processing. To complete this exercise, perform the following steps:
1. In the GPMC, click the Adelaide GPO.
2. On the Action menu, click Edit.
3. In the Group Policy Management Editor, expand the Computer Configuration\Administrative Templates\System\Group Policy node and select the Configure User Group Policy loopback processing mode policy, as shown in Figure 5-33.
FIGURE 5-33 Select Group Policy loopback processing mode policy
4. On the Action menu, click Edit.
5. In the Configure User Group Policy Loopback Processing Mode dialog box, click Enabled. Set the mode to Replace, as shown in Figure 5-34, and click OK.
FIGURE 5-34 Configure replace mode
6. Close the Group Policy Management Editor.
7. In the GPMC, click the Adelaide GPO, and click the Scope tab.
8. On the Scope tab, click the Authenticated Users group, and click Remove.
9. In the Group Policy Management dialog box, click OK.
10. Under Security Filtering, click Add.
11. In the Select User, Computer, Or Group dialog box, type Adelaide_Computers, click Check Names, and click OK.
12. Verify that the security filtering properties of the Adelaide GPO match those in Figure 5-35.
FIGURE 5-35 Configuring security filtering properties
13. In the GPMC, click Contoso.com, and click the Linked Group Policy Objects tab.
14. Click Contoso.com. On the Action menu, click Link An Existing GPO.
15. In the Select GPO dialog box, click Adelaide, as shown in Figure 5-36, and click OK.
FIGURE 5-36 Selecting the GPO to link
16. In the GPMC, verify that the Adelaide GPO and the Default Domain Policy GPO are linked to the domain, as shown in Figure 5-37.
FIGURE 5-37 GPOs linked to the domain
Exercise 4: Group Policy inheritance and enforcement
In this exercise, you will perform Group Policy management tasks related to Group Policy processing. To complete this exercise, perform the following steps:
1. In the GPMC, click the Melbourne_Computers OU.
2. On the Action menu, click Block Inheritance.
3. In the GPMC, click Contoso.com.
4. On the Action menu, click Link An Existing GPO.
5. In the Select GPO dialog box, click Melbourne, and then click OK.
6. Click the Melbourne GPO under Contoso.com.
7. On the Action menu, click Enforced.
8. Verify that the GPMC shows the Melbourne policy as Enforced and the Melbourne_Computers OU set to Block Inheritance, as shown in Figure 5-38.
FIGURE 5-38 Block Inheritance and Enforced GPOs
9. In the GPMC, click the Group Policy Modeling node.
10. On the Action menu, click Group Policy Modeling Wizard.
11. On the Welcome page of the Group Policy Modeling Wizard, click Next.
12. On the Domain Controller Selection page, click This Domain Controller, and click SYD-DC.contoso.com. Click Next.
13. On the User And Computer Selection page, click Browse next to Container in the Computer Information section.
14. In the Choose Computer Container dialog box, click Melbourne_Computers, and click OK.
15. Verify that the User And Computer Selection page matches Figure 5-39, and click Next.
FIGURE 5-39 Group Policy Modeling Wizard
16. On the Summary Of Selections page, click Next, and then click Finish.
17. In the Warning dialog box, click OK.
18. Verify that the report for the Melbourne_Computers OU matches Figure 5-40, and that only the Melbourne GPO is listed.
FIGURE 5-40 Group Policy Modeling results
Suggested practice exercises
The following additional practice exercises are designed to give you more opportunities to practice what you’ve learned and to help you successfully master the lessons presented in this chapter.
Exercise 1 Configure GPO settings in the Melbourne GPO. Import these settings into the Sydney GPO.
Exercise 2 Configure the Melbourne GPO so that it will not apply to members of the Adelaide_Computers group.
Answers
This section contains the answers to the lesson review questions in this chapter.
Lesson 1
1. Correct answer: B
A. Incorrect. You use the Backup-GPO cmdlet to back up an existing GPO.
B. Correct. You use the Import-GPO cmdlet to import settings from a backed-up GPO to an existing target GPO.
C. Incorrect. You use the Restore-GPO cmdlet to restore a backed-up GPO to a previous state.
D. Incorrect. You use the Copy-GPO cmdlet to create a copy of an existing GPO.
2. Correct answer: B
A. Incorrect. You use the Copy-GPO cmdlet to create a copy of an existing GPO.
B. Correct. You use the Restore-GPO cmdlet to restore a backed-up GPO to a previous state.
C. Incorrect. You use the Import-GPO cmdlet to import settings from a backed-up GPO to an existing target GPO. Although it would import the settings from the backed-up GPO, it is possible that other settings not included in the original backed-up GPO were configured by your assistant.
D. Incorrect. You use the Backup-GPO cmdlet to back up an existing GPO.
3. Correct answer: C
A. Incorrect. You use the Active Directory Sites and Services console to manage Active Directory sites. You can’t use this console to configure GPO migration settings.
B. Incorrect. You use this console to manage Active Directory security principals and containers. You can’t use this console to configure GPO migration settings.
C. Correct. You use this tool to configure the migration table, which is necessary when migrating objects from one domain or forest to another.
D. Incorrect. You use this to edit GPOs. You can’t use this console to configure GPO migration settings.
4. Correct answers: A, B, and C
A. Correct. Members of the Group Policy Creator Owners group can create GPOs by default.
B. Correct. Members of the Enterprise Admins group can create GPOs by default.
C. Correct. Members of the Domain Admins group can create GPOs by default.
D. Incorrect. The Domain Controllers group is a group for the accounts of domain controllers. It does not grant any permissions on GPOs.
5. Correct answer: D
A. Incorrect. You use the Copy-GPO cmdlet to create a copy of an existing GPO. It does not allow you to revert the default domain GPO to its original state.
B. Incorrect. You use the Restore-GPO cmdlet to restore a backed-up GPO to a previous state. You need to create the backup first.
C. Incorrect. You use the Import-GPO cmdlet to import settings from a backed-up GPO to an existing target GPO.
D. Correct. You use the Backup-GPO cmdlet to back up an existing GPO.
Lesson 2
1. Correct answer: B
A. Incorrect. You use Security Filtering to filter GPO application based on security group membership.
B. Correct. You can use a WMI query to filter GPO application based on the properties of a target computer, such as how much disk space it has available.
C. Incorrect. You use loopback processing to enforce settings that apply to the computer account rather than the user account.
D. Incorrect. You use slow-link processing to configure Group Policy not to apply across low-bandwidth connections.
2. Correct answer: D
A. Incorrect. In this scenario, GPO Delta has precedence over the other GPOs.
B. Incorrect. In this scenario, GPO Delta has precedence over the other GPOs.
C. Incorrect. In this scenario, GPO Delta has precedence over the other GPOs.
D. Correct. In this scenario, GPO Delta has precedence over the other GPOs.
3. Correct answer: C
A. Incorrect. In this scenario, the No Override setting on GPO Gamma means that it has precedence.
B. Incorrect. In this scenario, the No Override setting on GPO Gamma means that it has precedence.
C. Correct. In this scenario, the No Override setting on GPO Gamma means that it has precedence.
D. Incorrect. In this scenario, the No Override setting on GPO Gamma means that it has precedence.
4. Correct answer: B
A. Incorrect. No Override settings override Block Inheritance, so the setting in GPO Beta applies to the computer.
B. Correct. No Override settings override Block Inheritance, so the setting in GPO Beta applies to the computer.
C. Incorrect. No Override settings override Block Inheritance, so the setting in GPO Beta applies to the computer.
D. Incorrect. No Override settings override Block Inheritance, so the setting in GPO Beta applies to the computer.
5. Correct answer: A
A. Correct. You use Security Filtering to filter GPO application based on security group membership. In this case, you configure the Apply Group Policy (Deny) advanced permission.
B. Incorrect. You can use a WMI query to filter GPO application based on the properties of a target computer, such as how much disk space it has available.
C. Incorrect. You use loopback processing to enforce settings that apply to the computer account rather than the user account.
D. Incorrect. You use slow-link processing to configure Group Policy not to apply across low-bandwidth connections.