Contents Overview 1 Introduction to Group Policy 2 Group Policy Structure 3 How Group Policy Settings Are Applied in Active Directory 10 Modifying Group Policy Inheritance 17 Lab A: Implementing Group Policy 22 Delegating Administrative Control of a Group Policy Object 35 Lab B: Delegating Group Policy Administration 36 Best Practices 42 Review 43 Module 4: Implementing Group Policy Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ??1999 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, PowerPoint, and Windows either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead and Instructional Designer: Mark Johnson Instructional Designers : Aneetinder Chowdhry (NIIT Inc.), Kathryn Yusi (Independent Contractor) Lead Program Manager: Ryan Calafato Program Manager: Joern Wettern (Wettern Network Solutions) Graphic Artist: Julie Stone (Independent Contractor) Editing Manager: Tina Tsiakalis Substantive Editor: Kelly Baker (Write Stuff) Copy Editor: Wendy Cleary (S&T OnSite) Online Program Manager: Nikki McCormick Online Support: Arlo Emerson (MacTemps) Compact Disc Testing: Data Dimensions, Inc. Production Support: Arlene Rubin (S&T OnSite) Manufacturing Manager: Bo Galford Manufacturing Support: Mimi Dukes (S&T OnSite) Lead Product Manager, Development Services: Elaine Nuerenberg Lead Product Manager: Sandy Alto Group Product Manager: Robert Stewart Module 4: Implementing Group Policy iii Introduction This module provides students with an introduction to Group Policy in Microsoft® Windows® 2000 and the general knowledge and skills to implement Group Policy settings. Students will learn about the structure of Group Policy, and Group Policy inheritance. This will provide students with the knowledge that they need to correctly set up Group Policy in their networks. Students will also learn how to delegate control of Group Policy objects (GPOs). In the two hands-on labs in this module, students will have a chance to implement Group Policy. In the first lab, students will create and link GPOs and work with Group Policy inheritance. In the second lab, students will delegate control of a GPO. Materials and Preparation This section provides you with the materials and preparation needed to teach this module. Materials To teach this module, you need the following materials: ?? Microsoft PowerPoint® file 1558A_04.ppt Preparation To prepare for this module, you should: ?? Read all the materials for this module. ?? Complete the labs. ?? Study the review questions and prepare alternative answers to discuss. ?? Anticipate questions that students may ask. Write out the questions and provide the answers. ?? Read the white papers, Introduction to Windows 2000 Group Policy and Windows 2000 Group Policy on the Student Materials compact disc. Presentation: 60 Minutes Lab: 75 Minutes iv Module 4: Implementing Group Policy Instructor Setup for a Lab This section provides setup instructions required to prepare the instructor computer or classroom configuration for a lab. Lab A: Implementing Group Policy To prepare for the lab, you must create several GPOs in Nwtraders.msft that are not linked to a site, domain, or organizational unit (OU). ??To create the GPOs in Nwtraders.msft 1. Log on as Administrator@nwtraders.msft with a password of password. 2. Start Active Directory Users and Computers, in the console tree, right-click nwtraders.msft, and then click Properties. 3. On the Group Policy tab, click Add. 4. In the Add a Group Policy Object Link dialog box, on the All tab, right- click the All Group Policy Objects in this domain window, and then click New. 5. Type Corporate Standard Desktop and then press ENTER. 6. Repeat steps 4 and 5 to create the Restricted Desktop and Restricted My Documents GPOs. ??To edit and configure the Corporate Standard Desktop GPO 1. In the Add a Group Policy Object Link dialog box, in the All Group Policy Objects in this domain window, right-click Corporate Standard Desktop, and then click Edit. 2. In the Group Policy console tree, expand User Configuration, expand Administrative Templates, and then click Start Menu & Taskbar. 3. In the details pane, double-click Remove common program groups from Start menu. 4. In the Remove common program groups from Start menu dialog box, select the Remove common program groups from Start menu check box. 5. Repeat steps 3 and 4 to enable the following settings: ?? Disable and remove links to the Windows Update icon. ?? Remove the Documents menu from the Start menu. ?? Do not keep history of recently opened documents. 6. Close Group Policy. Module 4: Implementing Group Policy v ??To edit the settings for the remaining GPOs ?? Repeat the previous procedure to configure the following Administrative Templates settings for users. In this GPO Enable this setting Restricted Desktop Start Menu & Taskbar\Disable changes to Control Panel Settings Start Menu & Taskbar\Disable changes to Taskbar and Start Menu Desktop\Hide My Network Places icon on the desktop Restricted My Documents Desktop\Prohibit user from changing My Documents path ??To allow Group Policy Admins from student domains to administer the Corporate Standard Desktop GPO 1. In the Add a Group Policy Object Link dialog box, in the All Group Policy Objects in this domain window, right-click Corporate Standard Desktop, and then click Properties. 2. On the Security tab, click Add. 3. In the Select Users, Computers, or Groups dialog box, in the Look in box, select the first student domain, and under Name, double-click Group Policy Admins. 4. Repeat step 3 for the Group Policy Admins in the remaining student domains, and then click OK. 5. On the Security tab, under Name, select each instance of Group Policy Admins, select the Allow check box next to Full Control, and then click OK. 6. When you have finished configuring GPO settings, in the Add a Group Policy Object Link dialog box, click Cancel to return to the Properties dialog box for nwtraders.msft without linking the GPOs that you just created. 7. Click Cancel to close the Add a Group Policy Object Link dialog box, and log off Windows 2000. vi Module 4: Implementing Group Policy Module Strategy Use the following strategy to present this module: ?? Introduction to Group Policy In this topic, you will introduce Group Policy, including a high-level overview of how Group Policy works. Mention the tasks that an administrator can perform with Group Policy. Emphasize that by using Group Policy, an administrator can configure settings once, and Windows 2000 continually applies those settings to multiple users and computers. ?? Group Policy Structure In this topic, you will explain the structure of Group Policy in a network. First, explain the different types of Group Policy settings. Next, present information on GPOs. Emphasize that a GPO consists of a Group Policy container (GPC) and a Group Policy template (GPT). Then present information on the linking of GPOs to Active Directory ™ directory service containers. Emphasize that settings in the GPO affect computers and users in the containers to which the GPO is linked. Demonstrate the process of creating a GPO. Finally, explain how to link an existing GPO, and demonstrate the process. ?? How Group Policy Settings Are Applied in Active Directory In this topic, you will explain how Group Policy is applied in Active Directory. First, explain the order in which Windows 2000 processes Group Policy settings. Emphasize that Windows 2000 processes computer settings before user settings. Then, present information on Group Policy inheritance. Emphasize that the order in which Group Policy objects are applied is sites, domains, and then OUs. Next, explain the process that determines resultant Group Policy. The slide is animated so that you can display a new step on the slide as you talk about it. Finally, present the class discussion on how Group Policy is applied. There are two slides. The first slide poses the question, and the second slide provides the answer. Display the second slide after students have provided their answers. ?? Modifying Group Policy Inheritance In this topic, you will explain how to modify Group Policy inheritance. First, present information on how to block the inheritance of Group Policy settings from parent containers. Demonstrate the process. Emphasize that a block cannot stop a forced GPO. Then present information on how to force Group Policy settings, and demonstrate the process. Next, present information on filtering the Group Policy settings by using Group Policy permission. Emphasize that you can only prevent settings from applying to specific users, computers, or security groups. Finally, present the class discussion on how Group Policy is applied. The first slide poses the question, and the second slide provides the answer. Display the second slide after students have provided their answers. ?? Lab A: Implementing Group Policy Prepare students for the lab in which they will create and link GPOs and modify Group Policy inheritance. Students will work alone. Make sure that they run the command file for the lab. After students have completed the lab, ask them whether they have any questions. Module 4: Implementing Group Policy vii ?? Delegating Administrative Control of a Group Policy Object In this topic, you will explain how to delegate administrative control of a GPO. Emphasize that an administrator only delegates control of a GPO if the user that needs control of the GPO settings does not have administrative privileges for the container to which the GPO is linked. ?? Lab B: Delegating Group Policy Administration Prepare students for the lab in which they will delegate control of GPOs. Students will work alone. After students have completed the lab, ask them whether they have any questions. ?? Best Practices Present best practices for implementing Windows 2000 Group Policy. Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for course 1558A, Advanced Administration for Microsoft Windows 2000. Lab Setup The following list describes the setup requirements for the labs in this module. Setup Requirement 1 ?? The labs in this module require a regular user account for the student. To prepare student computers to meet this requirement, create the user account manually. Setup Requirement 2 The labs in this module require the Log on locally right for domain controllers to be assigned to the Everyone group. To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab04\Setup\Lab04.cmd. ?? Assign the right manually. Setup Requirement 3 The labs in this module require that a shortcut for Active Directory Domains and Trusts, Active Directory Users and Computers, and Active Directory Sites and Services exists on the desktop of the regular user account. To prepare student computers to meet this requirement, perform one of the following actions: ?? Log on to the domain by using the regular user account and run C:\MOC\Win1558a\Labfiles\Lab04\Setup\Lab04.cmd. Important viii Module 4: Implementing Group Policy ?? Create the shortcuts manually and place them in C:\Winnt\Profiles\All Users\Desktop. Setup Requirement 4 The labs in this module require the following OUs and user accounts. A number (1 or 2) assigned by you is to be substituted for the variable x in the labs. One student in each pair uses number 1, the other student uses number 2. This OU In this organizational unit Accounting x Top Level OU in the domain Accounts Payable Accounting x Accounting Receivable Accounting x This user account In this organizational unit AcctgUserx Accounting x AcctAdminx Accounting x AppUserx Accounting x APUserx Accounts Payable ARUserx Accounting Receivable To prepare student computers to meet this requirement, perform one of the following actions: ?? Run C:\MOC\Win1558A\Labfiles\Lab04\Setup\Lab04.cmd. ?? Create the OUs and user accounts manually. Lab Results Performing the labs in this module introduces the following configuration changes: ?? Students link GPOs from the Nwtraders.msft domain to OUs in their domain. ?? Students create GPOs linked to Information Services OUs in their domain. ?? Students modify the permissions for the GPOs that they created to allow a user to administer them. You can run C:\MOC\Win1558A\Labfiles\Lab04\Setup\Lab04rm.cmd to remove most configuration changes introduced during the labs in the module. Remove the Log on locally right from the Everyone group manually. Manually delete the GPOs created by students. Important Module 4: Implementing Group Policy 1 Overview ? Introduction to Group Policy ? Group Policy Structure ? How Group Policy Settings Are Applied in Active Directory ? Modifying Group Policy Inheritance ? Delegating Administrative Control of Group Policy Objects ? Best Practices Group Policy in Microsoft® Windows® 2000 provides you with greater administrative control over users and computers in your network. By using Group Policy, you can define the state of a user’s work environment once, and then rely on Windows 2000 to continually enforce the Group Policy settings that you define. You can apply Group Policy settings that are network-wide, or policies that pertain only to specific groups of users and computers. Lost productivity is frequently attributed to user errors. By using Group Policy to reduce the complexity of user environments and to remove the possibility of users incorrectly configuring these environments, productivity increases, and the network requires less technical support. Consequently, you lower your total cost of ownership (TCO). At the end of this module, you will be able to: ?? Identify how Group Policy simplifies administration in a Windows 2000 network. ?? Identify the structure of Group Policy in a Windows 2000 network. ?? Describe how Group Policy is applied in Active Directory ™ directory service. ?? Modify Group Policy inheritance. ?? Delegate administrative control of Group Policy objects. ?? Apply best practices for implementing Group Policy. Slide Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about using Group Policy to manage desktop environments in a Windows 2000 network. Briefly present the course objectives. Do not go into detail on this topic. 2 Module 4: Implementing Group Policy Introduction to Group Policy ? Set Centralized and Decentralized Policies ? Ensure Users Have Their Required Environments ? Control User and Computer Environments ? Enforce Corporate Policies Site Site Domain Domain OU OU Windows 2000 Applies Continually Windows 2000 Applies Continually Users Users Computers Computers Administrator Sets Group Policy Once Administrator Sets Group Policy Once Group Policy Group Policy Group Policy is the technology that allows you to define user desktop environments once, with user and computer settings, and then rely on Windows 2000 to continually enforce the policy that you defined throughout the network. You can associate Group Policy settings with Active Directory containers: sites, domains, and organizational units (OUs). The Group Policy then affects all users and computers in those containers. By using Group Policy you can: ?? Centralize policies by setting corporate-wide policy at the site or domain level, or decentralize Group Policy settings by setting department-wide policy at an OU level. ?? Ensure that users have the user environments that they need to perform their jobs by controlling their environments. This includes Group Policy that controls registry settings (applications and system configuration settings), scripts to modify the computer and user environment, automated software installations, and security settings for local computers, domains, and networks. You can also control where users’ data folders are stored. ?? Lower the cost of operation by controlling user and computer environments. This reduces the level of technical support that users require and lost user productivity due to user error. For example, by using Group Policy, you can prevent users from making changes to system configurations that can make a computer inoperable, or you can prevent them from installing applications that they do not require. ?? Enforce a corporation’s policies, including business rules, goals, and security needs. For example, you can ensure that security requirements for all users match the security required by the corporation, and that all users have the required Human Resource documents or company mission statements available on their desktops. Slide Objective To introduce Group Policy and to present the advantages of using Group Policy when administering a Windows 2000 network. Lead-in Windows Group Policy provides you with tremendous capabilities to administer your network. After defining what Group Policy can do, briefly discuss the bullets on the slide. Key Points Administrators can use Group Policy to configure settings once and have Windows 2000 continually apply those settings. You can associate Group Policy with specific Active Directory containers (sites, domains, and OUs). [...].. .Module 4: Implementing Group Policy ? Group Policy Structure Slide Objective To introduce how Group Policy is structured in Windows 2000 ? Types of Group Policy Settings Lead-in ? Group Policy Objects ? Group Policy Objects and Active Directory Containers ? Creating a Group Policy Object ? Linking an Existing Group Policy Object You need to understand the structure of Group Policy in order... user’s My Documents folder to a network share Module 4: Implementing Group Policy 5 Group Policy Objects Slide Objective To explain the GPO and its components Group Policy Container Lead-in ? Located The mechanism for implementing Group Policy settings is the Group Policy object It contains the settings that you configure Group Policy Object ?Contains Group Policy settings ?Content stored In two locations... Directory, you can set Group Policy settings that are organizational-wide or that affect only one department 3 4 Module 4: Implementing Group Policy Types of Group Policy Settings Slide Objective To describe the different types of Group Policy settings that an administrator can configure Types of Group Policy Settings Types of Group Policy Settings Administrative Registry-based Group Policy Administrative... menu The Group Policy setting ensuring that the Windows Update icon is on the Start menu was processed after the Group Policy setting that removed it from the desktop Module 4: Implementing Group Policy 17 ? Modifying Group Policy Inheritance Slide Objective To introduce the options available for modifying Group Policy Inheritance ? Blocking Group Policy Settings Lead-in ? Forcing Group Policy Settings... the Group Policy tab, and then click the Up and Down buttons to change its position 16 Module 4: Implementing Group Policy Class Discussion: How Group Policy Is Applied Slide Objective To check students’ understanding of how Group Policy is applied Lead-in This is an example of how resultant Group Policy settings are determined Let’s go through the example together and determine the resultant Group Policy. .. affects the resultant Group Policy settings that apply to computers and users Briefly mention the topics that this section covers Define resultant group policy settings for students ? When Group Policy Settings Are Processed ? Group Policy Inheritance ? How Resultant Group Policies Are Determined ? Resultant Group Policy Settings ? Class Discussion: How Group Policy Is Applied How Group Policy is applied... Properties dialog box for the site, domain, or OU at which you want to block inheritance 2 On the Group Policy tab, click Block Policy Inheritance Module 4: Implementing Group Policy 19 Forcing Group Policy Settings Slide Objective To explain forcing and how to force the inheritance of Group Policy settings Forced Group Policy Settings: Domain Lead-in Windows 2000 allows you to force GPOs down the Active Directory... have GPOs linked to it, the Group Policy settings from parent containers higher in the Active Directory tree are applied to its users and computers first Then the child container’s own Group Policy settings are applied 14 Module 4: Implementing Group Policy How Resultant Group Policy Settings Are Determined Slide Objective To describe how individual computers apply Group Policy settings 1 Log On 3... the Group Policy settings in the GPT, the client computer connects to a domain controller in the domain in which the GPO was created Module 4: Implementing Group Policy 15 Resultant Group Policy Settings Slide Objective To show how multiple GPOs set at different levels of Active Directory affect users and computers ? All Group Policy Settings Apply Unless There Are Conflicts ? Resultant Group Policy. .. you want resides 6 In the Group Policy Objects linked to this container box, click the GPO to which you want to link, and then click OK The Group Policy Objects linked to this container box contains all of the GPOs that exist in the site 9 10 Module 4: Implementing Group Policy ? How Group Policy Settings Are Applied in Active Directory Slide Objective To introduce how Group Policy settings are applied . 4 Module 4: Implementing Group Policy Types of Group Policy Settings Types of Group Policy Settings Types of Group Policy Settings Types of Group Policy. types of Group Policy settings, administrators have flexibility in how they use Group Policy. Module 4: Implementing Group Policy 5 Group Policy