What's A group policy object?
Group Police Objects give you control over what users and computers can do, but a lot more!
* A GPO contains settings that can be configured to control whats happening with users and computers.
* There are literally thousands of different settings that can configured inside of each GPO.
*GPO are used with containers (Domains, Sites and OU's), but are not applied to Groups (But Groups can play a part!)
Local Vs Domain
*Every Windows computer has a local group policy to control what can be done on it and what is restricted, but you don't want to go around to all the computers in your domain and configure all the settings manually/
*You'll want to join the rest of the world and administer group policy from AD.
*You can configure each computer separately using LOCAL POLICY or configure all your machines at once from the comfort of your desk.
CREATING AND LINKING GPO'S
*We can create a Group Policy Object easily, but then we have to link it to the appropriate container (Usually an OU) before it takes effect on the users and /or computers.
*A single GPO can be linked to multiple containers so you can re-use it over and over.
Ex : A GPO that controls Wallpapers can be linked to TWO OU's. (Ex : NYUsers and ITUsers).
Note : Even LINKS are AD Objects, too..
GPO's can be linked at different Levels.
*At the Domain Level everything in the Domain is affected. Ex : Default domain policy.
*At the OU level, everything in the OU is affected. EX : NewYorkOU or NYUsers.
*We normally don't apply OU's at the site level, but we can. Ex : Sites>NewYork.
There are two different kinds of objects.
*Group policy has two sides: Users and computers.
*While you can configure settings for both sides in any one GPO, we generally don't (This is why we separate users and computers into Seprate OU's)
*Each side of Group policy has policies and *NEW* Preferences.
*Generally, we create separate GPO's for Users and computers.
HOW GPOS ARE APPLIED AND IN WHICH ORDER?
GP settings are applied in a very specific order:
Local computer policy > Site Policy > Domain policy>OU Policy
Remember it this way : L-S-D-OU
Also: The last one Wins.
You can create Single GPO with the settings containing (LOCK Desklop wallpaper, Removable drives, Control panel, software installation) and apply it to the NYUsers OU, and then it out with the NYUsers user
account.)
Steps :
Just open GP Management >Domains >domain.com>NYUsers>Right click > and select "Create a GPO in this domain and link it here" >Give Name for the GPO Ex; LOCK >Go to User configuration and check for the required settings.
Sometimes we may need to reorganize a bit..
*Since GPO's are applied at the OU leve, we may need to separate out Users and /or computers into separate OU's for different rights and restrictions.
*We can separate our users into separate OU's and apply different GPO's to each.
*We can separate our users into separate OU''s inside of NYUsers and Block Inheritance for certain OU's for a particular GPO.
*We can use Security Filterings to exempt Certain User Accounts and /Or Groups from having a GPO applied to them.
OPTION 1:
We can separate out our Users into Child OU's and Link Separate GPO's to each OU. Each GPO has settings appropriate for each department.
OPTION 2:
We can separate our users into separate OU's inside of NYUsers and Block Inheritance for certain OU's for a particular GPO.
Ex : To restrict the permissions being applied on certain OU, you need to select the OU and click on Blcok Inheritance. To Apply again, you need to Enforced the settings.
Option 3:
We can use Security Filtering to exempt certain user accounts and/ or Groups from having a GPO applied to them.
*If we use Security permissions to deny the Read and Apply GP permissions, these two groups can be exempt from the policy - even if the policy is Enforced!
Combination of Techniques
*We can still user Lock Desktop for all our users, but we'll use security filtering and the delegation tab in the GPMC to exempt the excutives and ITusers Groups from having it applied.
*In order to use GP more efficiently in the future, we should break our users out into separate OU's.
*Deny Read and apply Lock Group policy to required Group. Ex; ITUsers Group.
To Apply GP go to GPO management > Select created policy link (Ex : Lock desktop policy ) > Go to Scope option >Security Filtering> Add the Groups, then policy will be applied to that group.
To restrict or exempt the Group policy to certain group.
Go to GPO management > Select created policy link (Ex : Lock desktop policy ) > Go to Delegation Tab > Add the Groups >Advanced > select the group > Deny pemissions> ok, then policy will be applied to that
group.
Group Police Objects give you control over what users and computers can do, but a lot more!
* A GPO contains settings that can be configured to control whats happening with users and computers.
* There are literally thousands of different settings that can configured inside of each GPO.
*GPO are used with containers (Domains, Sites and OU's), but are not applied to Groups (But Groups can play a part!)
Local Vs Domain
*Every Windows computer has a local group policy to control what can be done on it and what is restricted, but you don't want to go around to all the computers in your domain and configure all the settings manually/
*You'll want to join the rest of the world and administer group policy from AD.
*You can configure each computer separately using LOCAL POLICY or configure all your machines at once from the comfort of your desk.
CREATING AND LINKING GPO'S
*We can create a Group Policy Object easily, but then we have to link it to the appropriate container (Usually an OU) before it takes effect on the users and /or computers.
*A single GPO can be linked to multiple containers so you can re-use it over and over.
Ex : A GPO that controls Wallpapers can be linked to TWO OU's. (Ex : NYUsers and ITUsers).
Note : Even LINKS are AD Objects, too..
GPO's can be linked at different Levels.
*At the Domain Level everything in the Domain is affected. Ex : Default domain policy.
*At the OU level, everything in the OU is affected. EX : NewYorkOU or NYUsers.
*We normally don't apply OU's at the site level, but we can. Ex : Sites>NewYork.
There are two different kinds of objects.
*Group policy has two sides: Users and computers.
*While you can configure settings for both sides in any one GPO, we generally don't (This is why we separate users and computers into Seprate OU's)
*Each side of Group policy has policies and *NEW* Preferences.
*Generally, we create separate GPO's for Users and computers.
HOW GPOS ARE APPLIED AND IN WHICH ORDER?
GP settings are applied in a very specific order:
Local computer policy > Site Policy > Domain policy>OU Policy
Remember it this way : L-S-D-OU
Also: The last one Wins.
You can create Single GPO with the settings containing (LOCK Desklop wallpaper, Removable drives, Control panel, software installation) and apply it to the NYUsers OU, and then it out with the NYUsers user
account.)
Steps :
Just open GP Management >Domains >domain.com>NYUsers>Right click > and select "Create a GPO in this domain and link it here" >Give Name for the GPO Ex; LOCK >Go to User configuration and check for the required settings.
Sometimes we may need to reorganize a bit..
*Since GPO's are applied at the OU leve, we may need to separate out Users and /or computers into separate OU's for different rights and restrictions.
*We can separate our users into separate OU's and apply different GPO's to each.
*We can separate our users into separate OU''s inside of NYUsers and Block Inheritance for certain OU's for a particular GPO.
*We can use Security Filterings to exempt Certain User Accounts and /Or Groups from having a GPO applied to them.
OPTION 1:
We can separate out our Users into Child OU's and Link Separate GPO's to each OU. Each GPO has settings appropriate for each department.
OPTION 2:
We can separate our users into separate OU's inside of NYUsers and Block Inheritance for certain OU's for a particular GPO.
Ex : To restrict the permissions being applied on certain OU, you need to select the OU and click on Blcok Inheritance. To Apply again, you need to Enforced the settings.
Option 3:
We can use Security Filtering to exempt certain user accounts and/ or Groups from having a GPO applied to them.
*If we use Security permissions to deny the Read and Apply GP permissions, these two groups can be exempt from the policy - even if the policy is Enforced!
Combination of Techniques
*We can still user Lock Desktop for all our users, but we'll use security filtering and the delegation tab in the GPMC to exempt the excutives and ITusers Groups from having it applied.
*In order to use GP more efficiently in the future, we should break our users out into separate OU's.
*Deny Read and apply Lock Group policy to required Group. Ex; ITUsers Group.
To Apply GP go to GPO management > Select created policy link (Ex : Lock desktop policy ) > Go to Scope option >Security Filtering> Add the Groups, then policy will be applied to that group.
To restrict or exempt the Group policy to certain group.
Go to GPO management > Select created policy link (Ex : Lock desktop policy ) > Go to Delegation Tab > Add the Groups >Advanced > select the group > Deny pemissions> ok, then policy will be applied to that
group.
No comments:
Post a Comment