Contents Overview 1 Identifying Business Needs 2 Applying Group Policy in Active Directory 4 Planning for Group Policy 10 Lab A: Designing Group Policy and a Supporting Active Directory Structure 21 Review 32 Module 5: Designing Active Directory to Support Group Policy Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows NT, Active Directory, BackOffice, PowerPoint, Visual Basic, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead: Andy Sweet (S&T OnSite) Instructional Designers: Andy Sweet (S&T OnSite), Ravi Acharya (NIIT), Sid Benavente, Richard Rose, Kathleen Norton Instructional Design Consultants: Paul Howard, Susan Greenberg Program Managers: Lorrin Smith-Bates (Volt), Megan Camp (Independent Contractor) Technical Contributors: Angie Fultz, Lyle Curry, Brian Komar (3947018 Manitoba, Inc.), Jim Clark (Infotec Commercial Systems), Bill Wade (Excell Data Corporation), David Stern, Steve Tate, Greg Bulette (Independent Contractor), Kathleen Cole (S&T OnSite) Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editor: Jeffrey Gilbert (Wasser) Copy Editor: Patti Neff (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Consulting) Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Compact Disc and Lab Testing: Testing Testing 123 Production Support: Ed Casper (S&T Consulting) Manufacturing Manager: Rick Terek (S&T OnSite) Manufacturing Support: Laura King (S&T OnSite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart Module 5: Designing Active Directory to Support Group Policy iii Instructor Notes This module begins by providing techniques for identifying the Group Policy needs of an organization. The module then offers strategies for applying Group Policy at different levels to Active Directory ™ objects. Finally, the module provides guidelines for creating and documenting a Group Policy plan for an organization, and creating the necessary structure to support the Group Policy. At the end of this module, students will be able to: ! Identify administrative needs that can be addressed through Group Policies. ! Determine the appropriate site, domain, or organizational unit (OU) level at which to apply a Group Policy. ! Design a Group Policy plan based on the administrative needs of an organization and design an Active Directory structure to support the plan. Lab A, Designing Group Policy and a Supporting Active Directory Structure, begins with hands-on exercises in which the student will be given a Group Policy plan for an organization. The students will run a script that creates an OU structure for the lab, and then implement the Group Policy plan. Finally, the students will log on as various users and use the GPResults.exe tool to test the Group Policies that were implemented in the previous exercise. In the planning exercises, students are provided with criteria, including an existing OU design, to support an administrative plan. Students will work in pairs to create a Group Policy design for the OU structure. They will then redesign the OU structure to better facilitate Group Policy design. Student volunteers will present and defend their designs to the class. As you lead the discussion, reinforce best practices and map design decisions back to business needs. Materials and Preparation This section provides you with the required materials and preparation tasks that are needed to teach this module. Required Materials To teach this module, you need the following materials: ! Microsoft ® PowerPoint ® file 1561b_03.ppt ! Visio 2000 Preparation Tasks To prepare for this module, you should: ! Read all of the materials for this module. ! Complete the lab. ! Read the following technical white paper located on the Trainer Materials compact disc: • Introduction to Windows 2000 Group Policy Presentation: 45 Minutes Lab: 105 Minutes iv Module 5: Designing Active Directory to Support Group Policy Instructor Setup for a Lab This section provides setup instructions that are required to prepare the instructor computer or classroom configuration for a lab. Lab A: Designing Group Policy and a Supporting Active Directory Structure Ensure that the GPResults.exe tool runs from the command prompt of all student computers and the instructor computer. Ensure that Visio 2000 Enterprise Edition is installed on the instructor computer and all student computers and that the Active Directory template is operational. Also ensure that the \\London\Solutions\Lab5 directory is shared and accessible from the student computers. Exercise 1 is a hands-on exercise where the students will follow procedures to implement the Group Policy plan set forth in the exercise scenario. The instructions are step-by-step but the students must first select the Group Policy object (GPO) they wish to modify after they decide which GPOs require which policy settings. In Exercise 2 the students will log on to their computers as various users to ensure that the settings from the previous exercise have been properly implemented. The students may also use the GPResults tool from the command prompt to verify that the proper settings have been made. When the students test for the Training1 user, they will not be able to test whether the settings tab is available. This is because the Control Panel is disabled and therefore all of the individual control panels are disabled. Exercise 3 is a planning exercise where the students are given a scenario and a set of Group Policy requirements. The scenario includes an existing OU structure that the students are required to use when planning GPOs. The students should not create any extra OUs but should use filtering, block inheritance, and loopback to meet the requirements. Through this exercise the students will see that creating new OUs will make GPO creation easier. Exercise 4 is also a planning exercise where the students will add OUs to the existing OU design to better facilitate GPO design. The students will then plan OUs to minimize Group Policy filtering. Module 5: Designing Active Directory to Support Group Policy v Module Strategy Use the following strategy to present this module: ! Identifying Business Needs Begin the module by emphasizing the importance of determining levels of management required by different areas in an organization prior to designing the Active Directory structure. Describe the tasks in an organization that can be performed by using Group Policy. ! Applying Group Policy in Active Directory Explain the advantages and disadvantages of applying GPOs to site, domain, and OU containers. Discuss the general guidelines to consider when applying Group Policy to Active Directory. ! Planning for Group Policy Explain that a Group Policy plan must be based on the administrative needs of an organization, and then describe how to design an Active Directory structure to support the plan. Explain the importance of filtering, inheritance, and blocking of GPOs. Discuss how Group Policy performance can be optimized. Finally, explain guidelines for creating, testing and documenting a Group Policy plan for an organization. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module requires students to use Visio 2000 to document their designs. Visio 2000 is demonstrated in course 1561B, module 3, Designing Active Directory to Delegate Administrative Authority. If Visio has not been previously demonstrated to students, refer to module 3 for instructions on demonstrating Visio 2000. The lab in this module includes a script to be run at the beginning and end of the lab, creating and returning the computer to the default configuration for the course. As a result, there are no lab setup requirements or configuration changes that affect replication or customization. Module 5: Designing Active Directory to Support Group Policy 1 Overview ! Identifying Business Needs ! Applying Group Policy in Active Directory ! Planning for Group Policy Group Policy is used in Microsoft ® Windows ® 2000 Active Directory ™ to administer many aspects of client computer configuration, from installing software to managing the user environment. The Group Policy object (GPO) is used to apply Group Policy to users and computers in the Active Directory directory service at the site, domain, and organizational unit (OU) level. How an organization will use Group Policy depends on the level of client management desired. The plan for using Group Policy will impact the creation of lower-level OUs in the design of the Active Directory structure. At the end of this module you will be able to: ! Identify administrative needs that can be managed through Group Policy. ! Determine the appropriate site, domain, or OU level at which to apply a Group Policy. ! Design a Group Policy plan based on the administrative needs of an organization and design an Active Directory structure to support the plan. Slide Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about using Group Policy within Active Directory and designing Active Directory to support Group Policy. 2 Module 5: Designing Active Directory to Support Group Policy Identifying Business Needs ! Group Policy Is Applied: # Frequently in Highly Managed IT Networks # Infrequently in Minimally Managed IT Networks ! Group Policy Is Used to: # Enforce Security # Create Common Configurations # Simplify Computer Build Process # Limit Distribution of Applications When determining how Group Policy will be implemented in an organization, begin by identifying which areas of the organization require a high level of management and which areas require less management. Next, determine the ways in which GPOs will be used to fulfill management needs. Level of Management The extent of Group Policy use to manage client computers is determined by the level of service the Information Technology (IT) department will provide to the user. Because network administration can be delegated, you can use different levels of IT management in different areas of the organization. The two types of management environments are as follows: ! Highly Managed. In highly managed environments the administrators of the domain or OU will use Group Policy to configure user and computer environments. Such Group Policy settings might include software distribution and maintenance, desktop security, offline folders management, and logon, logoff, startup, and shutdown scripts. ! Minimally Managed. Environments that do not require a great deal of management will, to varying degrees, perform their own troubleshooting, install their own software, and may even replace their own hardware. Administrators in this type of environment use Group Policy sparingly. Slide Objective To identify the levels of management required in an organization and how Group Policy supports these levels. Lead-in Group Policy will be used more frequently in organizations that highly manage computer and user environments. Module 5: Designing Active Directory to Support Group Policy 3 Group Policy Objectives To determine the business reasons for using Group Policy, you need to know the functions Group Policy can perform. You can use Group Policy to perform the following tasks: ! Enforce common security standards. GPOs can be used to set consistent security parameters for all computers of a particular class. For example, it is recommended that domain controllers all have common security parameters restricting who can log on to the computer locally, and who can gain access to the domain controller remotely. Security policy is most commonly applied to domains, domain controllers, and servers. ! Enforce computer and user configuration. Groups of computers and users will likely require common configurations. For example, while some users may log on at several workstations as a part of their job functions, they may still require a common configuration at each workstation. ! Simplify the process for configuring computers. Group Policy can distribute applications, which can simplify computer configuration. Group Policy allows the administrator to send, or push a set of applications to a workstation or user with minimum effort. This process of distributing applications is especially useful in highly managed environments where the IT department is responsible for distributing and managing all applications in the enterprise. ! Limit distribution of applications. Group Policy can simplify enforcing the legal compliance of computers and users by allowing the network administrator to restrict the distribution of applications for which there is a limited number of licenses. 4 Module 5: Designing Active Directory to Support Group Policy $ $$ $ Applying Group Policy in Active Directory ! Applying Group Policy at the Site Level ! Applying Group Policy at the Domain Level ! Applying Group Policy at the OU Level ! Design Guidelines GPOs can be created for sites, domains, and OUs. Applying GPOs at any of these three levels has advantages and disadvantages that can affect the scope of the GPO and how inheritance is passed between containers. For example, applying a GPO at the site or domain level affects more objects than applying a GPO an OU level. However, applying GPOs at the site or domain level offers less control over each individual object than does applying GPOs at the OU level. Slide Objective To identify the levels at which Group Policy can be applied. Lead-in The site, domain, or OU level at which you apply Group Policy will affect which sets of users and computers are affected. [...]... inheritance to prevent Group Policy from being applied to particular subsets of users and computers Module 5: Designing Active Directory to Support Group Policy 11 Designing Group Policy to Meet Administrative Needs Slide Objective To describe the administrative roles regarding Group Policy Strategy Strategy Lead-in Delegate the Right to Create New GPOs Delegate the Right to Create New GPOs Throughout Active. .. Policy settings Linking Users listed in Active Directory container ACLs that set who can link GPOs to objects in Active Directory An IT group may create a standard set of GPOs that can be linked by lower level Group Policy administrators 12 Module 5: Designing Active Directory to Support Group Policy Prioritizing Application of Group Policy Objects Slide Objective To describe the importance of the order... local Group Policy objects are always applied Module 5: Designing Active Directory to Support Group Policy 15 Optimizing Group Policy Performance Slide Objective To describe the factors that can optimize Group Policy performance Lead-in You can configure Group Policy settings to optimize the application of Group Policy on the network ! Optimize Group Policy Performance Over Slow Connections by Adjusting:... you can use to configure Group Policy ! Designing Group Policy to Meet Administrative Needs ! Prioritizing Application of Group Policy Objects ! Filtering Group Policy Objects ! Group Policy Inheritance and Blocking ! Optimizing Group Policy Performance ! Testing and Documenting the Group Policy Plan ! Design Guidelines You can configure Group Policy settings in conjunction with Active Directory in your... single GPO than to create many GPOs One GPO with one hundred Group Policy settings processes faster than one hundred GPOs with only one Group Policy setting each 10 Module 5: Designing Active Directory to Support Group Policy $ Planning for Group Policy Slide Objective To identify the steps involved in planning Group Policy Lead-in Once you have determined where you will apply Group Policy, there are... one that sets the extension to run no matter how slow the connection Module 5: Designing Active Directory to Support Group Policy 17 Testing and Documenting the Group Policy Plan Slide Objective To describe key points of testing and documenting Group Policy implementation ! When Testing Group Policy: # Lead-in # You must test your Group Policy plan prior to implementation to ensure that it performs... GPO containing folder redirection settings and registry-based Group Policy settings for User Configuration Module 5: Designing Active Directory to Support Group Policy 21 Lab A: Designing Group Policy and a Supporting Active Directory Structure Slide Objective To introduce the lab Lead-in In this lab, you will implement and design Group Policy based on the administrative needs of an organization Explain... Regional OUs 30 Module 5: Designing Active Directory to Support Group Policy Exercise 4 Redesigning an OU Structure for Group Policy You have 20 minutes to complete this exercise Work in pairs to redesign the OU structure based on the Group Policy design created in exercise 3 Design Decisions 1 Use Visio to redesign the OU structure to better support the creation and administration of your Group Policy design... user-based Group Policy with computer-based Group Policy using loopback only when you want the computer environment to be the same no matter which user logs on Module 5: Designing Active Directory to Support Group Policy 13 Filtering Group Policy Objects Slide Objective Roanoke OU To describe how filtering GPOs will prevent their being applied to certain groups of users Lead-in Users Filtering is used to. .. used to exempt objects from Group Policy Apply Group Policy to Apply Group Policy to Y Roanoke Admins Roanoke Admins EN D Roanoke Admins Filtering Prevents Group Policy from Being Applied Key Points Group Policy cannot be applied to groups, but can be denied to specific groups Filtering is used to exempt objects from Group Policy For example, you will want to exempt the group that administers who . using Group Policy within Active Directory and designing Active Directory to support Group Policy. 2 Module 5: Designing Active Directory to Support Group. licenses. 4 Module 5: Designing Active Directory to Support Group Policy $ $$ $ Applying Group Policy in Active Directory ! Applying Group Policy at