Thông tin tài liệu
Contents
Overview 1
Introduction to Group Policy 2
Group Policy Structure 3
How Group Policy Settings Are Applied in
Active Directory 10
Modifying Group Policy Inheritance 17
Lab A: Implementing Group Policy 22
Delegating Administrative Control of a
Group Policy Object 35
Lab B: Delegating Group Policy
Administration 36
Best Practices 42
Review 43
Module 4: Implementing
Group Policy
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
??1999 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, PowerPoint, and Windows either registered trademarks or trademarks
of Microsoft Corporation in the U.S.A. and/or other countries.
The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Project Lead and Instructional Designer: Mark Johnson
Instructional Designers : Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi
(Independent Contractor)
Lead Program Manager: Ryan Calafato
Program Manager: Joern Wettern (Wettern Network Solutions)
Graphic Artist: Julie Stone (Independent Contractor)
Editing Manager: Tina Tsiakalis
Substantive Editor: Kelly Baker (Write Stuff)
Copy Editor: Wendy Cleary (S&T OnSite)
Online Program Manager: Nikki McCormick
Online Support: Arlo Emerson (MacTemps)
Compact Disc Testing: Data Dimensions, Inc.
Production Support: Arlene Rubin (S&T OnSite)
Manufacturing Manager: Bo Galford
Manufacturing Support: Mimi Dukes (S&T OnSite)
Lead Product Manager, Development Services: Elaine Nuerenberg
Lead Product Manager: Sandy Alto
Group Product Manager: Robert Stewart
Module 4: Implementing Group Policy iii
Introduction
This module provides students with an introduction to Group Policy in
Microsoft® Windows® 2000 and the general knowledge and skills to implement
Group Policy settings. Students will learn about the structure of Group Policy,
and Group Policy inheritance. This will provide students with the knowledge
that they need to correctly set up Group Policy in their networks. Students will
also learn how to delegate control of Group Policy objects (GPOs).
In the two hands-on labs in this module, students will have a chance to
implement Group Policy. In the first lab, students will create and link GPOs and
work with Group Policy inheritance. In the second lab, students will delegate
control of a GPO.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
?? Microsoft PowerPoint® file 1558A_04.ppt
Preparation
To prepare for this module, you should:
?? Read all the materials for this module.
?? Complete the labs.
?? Study the review questions and prepare alternative answers to discuss.
?? Anticipate questions that students may ask. Write out the questions and
provide the answers.
?? Read the white papers, Introduction to Windows 2000 Group Policy and
Windows 2000 Group Policy on the Student Materials compact disc.
Presentation:
60 Minutes
Lab:
75 Minutes
iv Module 4: Implementing Group Policy
Instructor Setup for a Lab
This section provides setup instructions required to prepare the instructor
computer or classroom configuration for a lab.
Lab A: Implementing Group Policy
To prepare for the lab, you must create several GPOs in Nwtraders.msft that are
not linked to a site, domain, or organizational unit (OU).
??To create the GPOs in Nwtraders.msft
1. Log on as Administrator@nwtraders.msft with a password of password.
2. Start Active Directory Users and Computers, in the console tree, right-click
nwtraders.msft, and then click Properties.
3. On the Group Policy tab, click Add.
4. In the Add a Group Policy Object Link dialog box, on the All tab, right-
click the All Group Policy Objects in this domain window, and then
click New.
5. Type Corporate Standard Desktop and then press ENTER.
6. Repeat steps 4 and 5 to create the Restricted Desktop and Restricted My
Documents GPOs.
??To edit and configure the Corporate Standard Desktop GPO
1. In the Add a Group Policy Object Link dialog box, in the All Group
Policy Objects in this domain window, right-click Corporate Standard
Desktop, and then click Edit.
2. In the Group Policy console tree, expand User Configuration, expand
Administrative Templates, and then click Start Menu & Taskbar.
3. In the details pane, double-click Remove common program groups from
Start menu.
4. In the Remove common program groups from Start menu dialog box,
select the Remove common program groups from Start menu check box.
5. Repeat steps 3 and 4 to enable the following settings:
?? Disable and remove links to the Windows Update icon.
?? Remove the Documents menu from the Start menu.
?? Do not keep history of recently opened documents.
6. Close Group Policy.
Module 4: Implementing Group Policy v
??To edit the settings for the remaining GPOs
?? Repeat the previous procedure to configure the following Administrative
Templates settings for users.
In this GPO Enable this setting
Restricted Desktop Start Menu & Taskbar\Disable changes to Control
Panel Settings
Start Menu & Taskbar\Disable changes to Taskbar
and Start Menu
Desktop\Hide My Network Places icon on
the desktop
Restricted My Documents
Desktop\Prohibit user from changing My
Documents path
??To allow Group Policy Admins from student domains to administer the
Corporate Standard Desktop GPO
1. In the Add a Group Policy Object Link dialog box, in the All Group
Policy Objects in this domain window, right-click Corporate Standard
Desktop, and then click Properties.
2. On the Security tab, click Add.
3. In the Select Users, Computers, or Groups dialog box, in the Look in box,
select the first student domain, and under Name, double-click Group
Policy Admins.
4. Repeat step 3 for the Group Policy Admins in the remaining student
domains, and then click OK.
5. On the Security tab, under Name, select each instance of Group Policy
Admins, select the Allow check box next to Full Control, and then
click OK.
6. When you have finished configuring GPO settings, in the Add a Group
Policy Object Link dialog box, click Cancel to return to the Properties
dialog box for nwtraders.msft without linking the GPOs that you
just created.
7. Click Cancel to close the Add a Group Policy Object Link dialog box,
and log off Windows 2000.
vi Module 4: Implementing Group Policy
Module Strategy
Use the following strategy to present this module:
?? Introduction to Group Policy
In this topic, you will introduce Group Policy, including a high-level
overview of how Group Policy works. Mention the tasks that an
administrator can perform with Group Policy. Emphasize that by using
Group Policy, an administrator can configure settings once, and
Windows 2000 continually applies those settings to multiple users
and computers.
?? Group Policy Structure
In this topic, you will explain the structure of Group Policy in a network.
First, explain the different types of Group Policy settings. Next, present
information on GPOs. Emphasize that a GPO consists of a Group Policy
container (GPC) and a Group Policy template (GPT). Then present
information on the linking of GPOs to Active Directory
™
directory service
containers. Emphasize that settings in the GPO affect computers and users
in the containers to which the GPO is linked. Demonstrate the process of
creating a GPO. Finally, explain how to link an existing GPO, and
demonstrate the process.
?? How Group Policy Settings Are Applied in Active Directory
In this topic, you will explain how Group Policy is applied in Active
Directory. First, explain the order in which Windows 2000 processes Group
Policy settings. Emphasize that Windows 2000 processes computer settings
before user settings. Then, present information on Group Policy inheritance.
Emphasize that the order in which Group Policy objects are applied is sites,
domains, and then OUs. Next, explain the process that determines resultant
Group Policy. The slide is animated so that you can display a new step on
the slide as you talk about it. Finally, present the class discussion on how
Group Policy is applied. There are two slides. The first slide poses the
question, and the second slide provides the answer. Display the second slide
after students have provided their answers.
?? Modifying Group Policy Inheritance
In this topic, you will explain how to modify Group Policy inheritance.
First, present information on how to block the inheritance of Group Policy
settings from parent containers. Demonstrate the process. Emphasize that a
block cannot stop a forced GPO. Then present information on how to force
Group Policy settings, and demonstrate the process. Next, present
information on filtering the Group Policy settings by using Group Policy
permission. Emphasize that you can only prevent settings from applying to
specific users, computers, or security groups. Finally, present the class
discussion on how Group Policy is applied. The first slide poses the
question, and the second slide provides the answer. Display the second slide
after students have provided their answers.
?? Lab A: Implementing Group Policy
Prepare students for the lab in which they will create and link GPOs and
modify Group Policy inheritance. Students will work alone. Make sure that
they run the command file for the lab. After students have completed the
lab, ask them whether they have any questions.
Module 4: Implementing Group Policy vii
?? Delegating Administrative Control of a Group Policy Object
In this topic, you will explain how to delegate administrative control of a
GPO. Emphasize that an administrator only delegates control of a GPO if
the user that needs control of the GPO settings does not have administrative
privileges for the container to which the GPO is linked.
?? Lab B: Delegating Group Policy Administration
Prepare students for the lab in which they will delegate control of GPOs.
Students will work alone. After students have completed the lab, ask them
whether they have any questions.
?? Best Practices
Present best practices for implementing Windows 2000 Group Policy.
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for course 1558A, Advanced Administration
for Microsoft Windows 2000.
Lab Setup
The following list describes the setup requirements for the labs in this module.
Setup Requirement 1
?? The labs in this module require a regular user account for the student. To
prepare student computers to meet this requirement, create the user
account manually.
Setup Requirement 2
The labs in this module require the Log on locally right for domain controllers
to be assigned to the Everyone group. To prepare student computers to meet
this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab04\Setup\Lab04.cmd.
?? Assign the right manually.
Setup Requirement 3
The labs in this module require that a shortcut for Active Directory Domains
and Trusts, Active Directory Users and Computers, and Active Directory
Sites and Services exists on the desktop of the regular user account. To
prepare student computers to meet this requirement, perform one of the
following actions:
?? Log on to the domain by using the regular user account and run
C:\MOC\Win1558a\Labfiles\Lab04\Setup\Lab04.cmd.
Important
viii Module 4: Implementing Group Policy
?? Create the shortcuts manually and place them in
C:\Winnt\Profiles\All Users\Desktop.
Setup Requirement 4
The labs in this module require the following OUs and user accounts. A number
(1 or 2) assigned by you is to be substituted for the variable x in the labs. One
student in each pair uses number 1, the other student uses number 2.
This OU In this organizational unit
Accounting x Top Level OU in the domain
Accounts Payable Accounting x
Accounting Receivable Accounting x
This user account In this organizational unit
AcctgUserx Accounting x
AcctAdminx Accounting x
AppUserx Accounting x
APUserx Accounts Payable
ARUserx Accounting Receivable
To prepare student computers to meet this requirement, perform one of the
following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab04\Setup\Lab04.cmd.
?? Create the OUs and user accounts manually.
Lab Results
Performing the labs in this module introduces the following
configuration changes:
?? Students link GPOs from the Nwtraders.msft domain to OUs in
their domain.
?? Students create GPOs linked to Information Services OUs in their domain.
?? Students modify the permissions for the GPOs that they created to allow a
user to administer them.
You can run
C:\MOC\Win1558A\Labfiles\Lab04\Setup\Lab04rm.cmd to remove most
configuration changes introduced during the labs in the module. Remove the
Log on locally right from the Everyone group manually. Manually delete the
GPOs created by students.
Important
Module 4: Implementing Group Policy 1
Overview
? Introduction to Group Policy
? Group Policy Structure
? How Group Policy Settings Are Applied in
Active Directory
? Modifying Group Policy Inheritance
? Delegating Administrative Control of Group Policy
Objects
? Best Practices
Group Policy in Microsoft® Windows® 2000 provides you with greater
administrative control over users and computers in your network. By using
Group Policy, you can define the state of a user’s work environment once, and
then rely on Windows 2000 to continually enforce the Group Policy settings
that you define. You can apply Group Policy settings that are network-wide, or
policies that pertain only to specific groups of users and computers.
Lost productivity is frequently attributed to user errors. By using Group Policy
to reduce the complexity of user environments and to remove the possibility of
users incorrectly configuring these environments, productivity increases, and
the network requires less technical support. Consequently, you lower your total
cost of ownership (TCO).
At the end of this module, you will be able to:
?? Identify how Group Policy simplifies administration in a Windows 2000
network.
?? Identify the structure of Group Policy in a Windows 2000 network.
?? Describe how Group Policy is applied in Active Directory
™
directory service.
?? Modify Group Policy inheritance.
?? Delegate administrative control of Group Policy objects.
?? Apply best practices for implementing Group Policy.
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about using Group Policy to
manage desktop
environments in a
Windows 2000 network.
Briefly present the course
objectives. Do not go into
detail on this topic.
2 Module 4: Implementing Group Policy
Introduction to Group Policy
? Set Centralized and Decentralized Policies
? Ensure Users Have Their Required Environments
? Control User and Computer Environments
? Enforce Corporate Policies
Site
Site
Domain
Domain
OU
OU
Windows 2000 Applies Continually
Windows 2000 Applies Continually
Users
Users
Computers
Computers
Administrator Sets Group Policy Once
Administrator Sets Group Policy Once
Group Policy
Group Policy
Group Policy is the technology that allows you to define user desktop
environments once, with user and computer settings, and then rely on
Windows 2000 to continually enforce the policy that you defined throughout
the network. You can associate Group Policy settings with Active Directory
containers: sites, domains, and organizational units (OUs). The Group Policy
then affects all users and computers in those containers.
By using Group Policy you can:
?? Centralize policies by setting corporate-wide policy at the site or domain
level, or decentralize Group Policy settings by setting department-wide
policy at an OU level.
?? Ensure that users have the user environments that they need to perform their
jobs by controlling their environments. This includes Group Policy that
controls registry settings (applications and system configuration settings),
scripts to modify the computer and user environment, automated software
installations, and security settings for local computers, domains, and
networks. You can also control where users’ data folders are stored.
?? Lower the cost of operation by controlling user and computer environments.
This reduces the level of technical support that users require and lost user
productivity due to user error. For example, by using Group Policy, you can
prevent users from making changes to system configurations that can make
a computer inoperable, or you can prevent them from installing applications
that they do not require.
?? Enforce a corporation’s policies, including business rules, goals, and
security needs. For example, you can ensure that security requirements for
all users match the security required by the corporation, and that all users
have the required Human Resource documents or company mission
statements available on their desktops.
Slide Objective
To introduce Group Policy
and to present the
advantages of using Group
Policy when administering a
Windows 2000 network.
Lead-in
Windows Group Policy
provides you with
tremendous capabilities to
administer your network.
After defining what Group
Policy can do, briefly
discuss the bullets on
the slide.
Key Points
Administrators can use
Group Policy to configure
settings once and have
Windows 2000 continually
apply those settings.
You can associate Group
Policy with specific Active
Directory containers (sites,
domains, and OUs).
[...].. .Module 4: Implementing Group Policy ? Group Policy Structure Slide Objective To introduce how Group Policy is structured in Windows 2000 ? Types of Group Policy Settings Lead-in ? Group Policy Objects ? Group Policy Objects and Active Directory Containers ? Creating a Group Policy Object ? Linking an Existing Group Policy Object You need to understand the structure of Group Policy in order... user’s My Documents folder to a network share Module 4: Implementing Group Policy 5 Group Policy Objects Slide Objective To explain the GPO and its components Group Policy Container Lead-in ? Located The mechanism for implementing Group Policy settings is the Group Policy object It contains the settings that you configure Group Policy Object ?Contains Group Policy settings ?Content stored In two locations... Directory, you can set Group Policy settings that are organizational-wide or that affect only one department 3 4 Module 4: Implementing Group Policy Types of Group Policy Settings Slide Objective To describe the different types of Group Policy settings that an administrator can configure Types of Group Policy Settings Types of Group Policy Settings Administrative Registry-based Group Policy Administrative... menu The Group Policy setting ensuring that the Windows Update icon is on the Start menu was processed after the Group Policy setting that removed it from the desktop Module 4: Implementing Group Policy 17 ? Modifying Group Policy Inheritance Slide Objective To introduce the options available for modifying Group Policy Inheritance ? Blocking Group Policy Settings Lead-in ? Forcing Group Policy Settings... the Group Policy tab, and then click the Up and Down buttons to change its position 16 Module 4: Implementing Group Policy Class Discussion: How Group Policy Is Applied Slide Objective To check students’ understanding of how Group Policy is applied Lead-in This is an example of how resultant Group Policy settings are determined Let’s go through the example together and determine the resultant Group Policy. .. affects the resultant Group Policy settings that apply to computers and users Briefly mention the topics that this section covers Define resultant group policy settings for students ? When Group Policy Settings Are Processed ? Group Policy Inheritance ? How Resultant Group Policies Are Determined ? Resultant Group Policy Settings ? Class Discussion: How Group Policy Is Applied How Group Policy is applied... Properties dialog box for the site, domain, or OU at which you want to block inheritance 2 On the Group Policy tab, click Block Policy Inheritance Module 4: Implementing Group Policy 19 Forcing Group Policy Settings Slide Objective To explain forcing and how to force the inheritance of Group Policy settings Forced Group Policy Settings: Domain Lead-in Windows 2000 allows you to force GPOs down the Active Directory... have GPOs linked to it, the Group Policy settings from parent containers higher in the Active Directory tree are applied to its users and computers first Then the child container’s own Group Policy settings are applied 14 Module 4: Implementing Group Policy How Resultant Group Policy Settings Are Determined Slide Objective To describe how individual computers apply Group Policy settings 1 Log On 3... the Group Policy settings in the GPT, the client computer connects to a domain controller in the domain in which the GPO was created Module 4: Implementing Group Policy 15 Resultant Group Policy Settings Slide Objective To show how multiple GPOs set at different levels of Active Directory affect users and computers ? All Group Policy Settings Apply Unless There Are Conflicts ? Resultant Group Policy. .. you want resides 6 In the Group Policy Objects linked to this container box, click the GPO to which you want to link, and then click OK The Group Policy Objects linked to this container box contains all of the GPOs that exist in the site 9 10 Module 4: Implementing Group Policy ? How Group Policy Settings Are Applied in Active Directory Slide Objective To introduce how Group Policy settings are applied .
4 Module 4: Implementing Group Policy
Types of Group Policy Settings
Types of Group Policy Settings
Types of Group Policy Settings
Types of Group Policy.
types of Group Policy
settings, administrators
have flexibility in how they
use Group Policy.
Module 4: Implementing Group Policy 5
Group Policy
Ngày đăng: 24/01/2014, 10:20
Xem thêm: Tài liệu Module 4: Implementing Group Policy docx, Tài liệu Module 4: Implementing Group Policy docx