Logo
programming4us
programming4us
programming4us
programming4us
Windows XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 : Elements of Group Policy (part 2)

3/8/2011 10:15:15 PM

Group Policy Administrative Templates

GPO administrative templates are, in most cases, a set of text or Extensible Markup Language (XML)–based files that include clearly defined settings that can be set to a number of different values.

Administrative templates are provided to give administrators easy access to many configurable settings commonly used to manage server and workstation computers and end users.

When a new GPO is created, a base set of administrative templates are imported or referenced within that policy. Additional administrative templates can be imported to a particular policy to add functionality as required.

Windows 7 and Windows Server 2008 R2 Central Store

Each GPO in the Active Directory forest will have a corresponding folder stored in the sysvol folder on each domain controller in the domain in which the GPO is created. If the domain controllers in the particular domain are running Windows Server 2003, each of these GPO folders would contain a copy of each of the administrative templates loaded in that particular GPO. This created many duplicated administrative template files and required additional storage space and increased replication traffic.

Starting with the new Group Policy infrastructure included with Windows Vista and Windows Server 2008 and continuing with Windows 7 and Windows Server 2008 R2, newly created GPOs only store the files and folders required to store the configured settings, scripts, registry.pol, and other GPO-related files. When the GPO is opened for editing or processed by a Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 computer, the local copy of the administrative templates is referenced but not copied to the new GPO folder in sysvol. Instead, the administrative templates are referenced from files stored on the local workstations or the domain central store.

The GPO central store is a file repository that houses each of the next generation administrative templates. The central store would contain all of the new ADMX and ADML administrative templates and each workstation would reference the files on the domain controller they are using to process group policies. With a central store created, when a GPO is opened or processed, the system first checks for the existence of the central store and then only uses the templates stored in the central store.

The GPO central store can be created within Active Directory infrastructures running any version of Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 domain controllers.

Starter GPOs

Windows Server 2008 and Windows Server 2008 R2 Group Policy Management Console provide a new feature of GPO management called starter GPOs. Starter GPOs are similar to regular GPOs, but they only contain settings available from administrative templates. Just as security templates can be used to import and export the configured settings within the security section of a policy, starter GPOs can be used to prepopulate configured settings in the Administrative Templates sections of the Computer Configuration and User Configuration nodes within a GPO. After the release of Windows Server 2008 and included in Windows Server 2008 R2, Microsoft released a set of predefined starter GPOs for Windows Vista and Windows XP. The predefined settings in these starter GPOs are based on information that can be found in the Windows XP and Windows client security guide published by Microsoft. These particular starter GPOs are read-only policies, but administrators can create their own starter GPOs as needed by the organization.

Policy Settings

Policy settings are simply the configurable options made available within a particular GPO. These settings are provided from the base administrative templates, security settings, scripts, policy-based QOS, and, in some cases, software deployment packages. Many policy settings correspond one to one with a particular Registry key and value. Depending on the particular settings, different values, including free-form text, might be acceptable as a legitimate value.

GPO policy settings are usually configurable to one of three values: not configured, enabled, or disabled. It is very important for administrators to understand not only the difference among these three values, but to also understand what the particular policy setting controls. For example, a policy setting that disables access to Control Panel will block access to Control Panel when enabled but will allow access when disabled.

GPO policy settings apply to either a computer or a user object. Within a particular GPO, an administrator might find the same policy setting within both the Computer Configuration and User Configuration nodes. In cases like this, if the policy setting is configured for both objects, the computer setting will override the user setting if the policy is linked to the user object and the workstation to which the user is logged on.

Preference Settings

Group Policies have two main setting nodes, including the Computer and User Configuration nodes. Each of these contains two main nodes as well, the Policies and Preferences setting nodes. The group policy extensions presented in the Preferences node provide administrators with the ability to configure many default or initial configuration and environmental settings for users and computers. One really great feature of GPO Preferences is Item-Level Targeting, which only applies a certain preference, such as setting the Start menu on Windows 7 workstations to configure the power button to perform a logoff instead of a computer shutdown, to only defined users or groups within the Item-Level Target definition of that GPO. When a user logs on to a workstation and has that preference applied, this will be the initial setting, but users would be able to change that setting if they desire. One important distinction that all GPO administrators must make is that policies set and enforce settings, whereas preferences configure initial settings but do not block the settings from changes. 

Group Policy Object Links

GPO links are the key to deploying GPOs to a predetermined set of Active Directory computers and/or users. GPO links define where the particular policy or policies will be applied in terms of the Active Directory domain and site hierarchy design.

GPOs can be linked to Active Directory sites, domains, and organizational units (OUs). Also, a single GPO can be linked to multiple sites, domains, and OUs in a single forest. This gives administrators the flexibility to create a single policy and apply it to several different sets of computers and users within an Active Directory forest.

The design of the Active Directory infrastructure, including site design, domain and tree design, and OU hierarchy, is critical to streamlining targeted GPO application. Careful planning and consideration should be taken into account during the Active Directory design phase with regard to how GPOs will be used and how user, group, and computer objects will be organized.

GPO links can also be disabled as required, to assist with troubleshooting GPO application or processing.

Group Policy Link Enforcement

Microsoft provides administrators with many ways to manage their infrastructure, including forcing configurations down from the top. GPO link “enforcement,” historically known as “No Override,” is an option of a GPO link that can be set to ensure that the settings in a particular policy will be applied and maintained even if another GPO has the same setting configured with a different value. GPO link enforcement is shown in Figure 2.

Figure 2. Enforcing a group policy.

This function should be used with caution because it might result in undesired functionality or a different level of security than what is required to run a particular service or application or manage a system. Before enabling GPO enforcement on any policy, carefully research and test to ensure that this will not break any functionality or violate an organization’s IT or regulatory policy.

Other -----------------
- Windows Server 2008 R2 : Group Policies and Policy Management - Security Templates
- Windows Server 2008 R2 : Local Group Policies
- Windows Server 2008 R2 : Group Policy Processing—How Does It Work?
- Understanding DNS in Windows Server 2003 Networks
- Understanding Name Resolution in Windows Server 2003
- Windows Server 2008 R2 Administration : Managing Printers with the Print Management Console
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 3) - Troubleshooting Group Policy Applications
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 2) - Configuring and Optimizing Group Policy
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 1) - Viewing Policies with the Group Policy Management Console & Creating New Group Policies
- Windows Server 2008 R2 Administration : Creating Groups
 
 
Video tutorials
- How To Install Windows 8 On VMware Workstation 9

- How To Install Windows 8

- How To Install Windows Server 2012

- How To Disable Windows 8 Metro UI

- How To Change Account Picture In Windows 8

- How To Unlock Administrator Account in Windows 8

- How To Restart, Log Off And Shutdown Windows 8

- How To Login To Skype Using A Microsoft Account

- How To Enable Aero Glass Effect In Windows 8

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
 
programming4us
Women
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone