Planning a Group Policy

Management
and
Lesson
10
Implementation Strategy

Skills Matrix
Technology Skill

Objective Domain

Objective #

Introducing the Group

Policy Management MMC
Snap-In

Configure GPO templates 4.4

Group Policy Management Console

The Group Policy Management MMC snap-in
is a tool for managing Windows Server
2008, Windows Server 2003, and Windows
2000 Active Directory domains.
The Group Policy Management MMC
provides a single access point to all aspects
of Group Policy that were previously spread
across other tools, such as Active Directory
Users and Computers, Active Directory Sites
and Services, Resultant Set of Policy (RSoP),
and the Group Policy Management Editor.
GPMC is natively installed with Windows
Server 2008.

Group Policy Management Console

Import and copy GPO settings to and
from the file system.
Backup and restoration of GPOs is
available in Group Policy Management.
Resultant Set of Policy (RSoP)
functionality integration includes Group
Policy Modeling and Group Policy
Results.
Hypertext Markup Language (HTML)
reports allow read-only views of GPO
settings and RSoP information.

Group Policy Management Console

Search for GPOs based on name,
permissions, WMI filter, GUID, or
policy extensions set in the GPOs.
Search for individual settings within a
GPO by keyword, and search for only
those settings that have been
configured.

Group Policy Management Console

Group Policy Management Console

Group Policy Management Console

Managing an Individual GPO

The following features are available
when a GPO is selected in the Group
Policy Management interface:
Scope
Details
Settings
Delegation

Scope
Allows administrators to view the locations
to which the policy is linked.
In addition, security filtering using
permissions and WMI are available for
viewing, editing, or creating. When a WMI
filter is applied to the policy, it appears in
the list with an Open button that allows
filter modification.
If a WMI filter is not applied to the policy,
the button will allow a new filter to be
created or linked to the GPO.

Scope

Detail
Allows the GPO to be enabled or
disabled.
It also displays read-only information
that includes the owner, GUID,
creation date, and last modification
date.

Detail

Settings
When this tab is activated, an HTML
report is generated that allows
administrators to view GPO settings that
do not have the original default values.
Links on the right side of the report allow
detailed information to be displayed or
hidden.
Right-clicking within this view allows
administrators to print or save the report.

Settings

Delegation
Like the previously discussed
Delegation tab for a container object,
this tab lists the users and groups
that have access to this GPO and the
permissions that apply to them. The
Advanced button allows access to
the Security tab to directly view the
GPOs ACL.

Filtering Group Policy Scope

By default, Group Policy settings will apply to all
child objects within the domain, site, or OU to
which they are linked. In addition, the settings will
be inherited down through the Active Directory
structure unless policy inheritance has been
blocked.
Using the Block Policy Inheritance policy setting,
you can prevent policy settings from applying to all
child objects at the current level and all
subordinate levels.
Although the Block Policy Inheritance setting is
useful in some circumstances, it may be necessary
to have a policy apply only when certain conditions
exist or only to a certain group of people.

Filtering Group Policy Scope

To meet the need for refined control over
the application of group policies, two
additional filtering methods, discussed in
the following sections, can be used.
They include the following:
Security Group Filtering. This method
uses the GPOs Security tab to determine
user and group account access to the policy.
WMI Filtering. This method uses filters
written in the WMI Query Language
(WQL), which is similar to structured query
language (SQL), to control GPO application.

Filtering Group Policy Scope

Windows Management Instrumentation

(WMI)
A component of the Microsoft Windows
operating system that provides management
information and control in an enterprise
environment.
It allows administrators to create queries
based on hardware, software, operating
systems, and services.
These queries can be used to gather data or
to determine where items, such as GPOs, will
be applied.
WMI filters can be used to control which users
or computers will be affected by a GPO based
on defined criteria.

Windows Management Instrumentation

(WMI)

Resultant Set of Policy (RSoP)

The sum of the policies applied to a user or
computer after all filters, security group
permissions, and inheritance settings, such as
Block Policy Inheritance and Enforce, have
finished processing.
As the application of group policies becomes
more complex within your Active Directory
structure, it can become difficult to predict what
the final policy settings will be when all
processing is complete.
In addition, it may be difficult to trace the origin
of a particular outcome due to policy
inheritance, policy links, and permission
settings.

Resultant Set of Policy (RSoP)

Two modes within RSoP:
Planning mode
Logging mode

Resultant Set of Policy (RSoP)

Planning mode
This mode allows administrators to simulate
the effect of policy settings prior to
implementing them on a computer or user.
This mode is beneficial when planning due
to growth or changes to your organization.
You can use planning mode to test the
effects of changes to group policies on your
organization prior to deployment.
You can use planning mode to simulate the
results of a slow link on a GPO in addition to
simulating the loopback process.

Resultant Set of Policy (RSoP)

Logging mode
This mode queries existing policies in
the hierarchy that are linked to sites,
domains, domain controllers, and OUs.
This mode is useful for documenting
and understanding how combined
policies are affecting users and
computers. The results are returned in
an MMC window that can be saved for
later reference.

Resultant Set of Policy (RSoP)

Using GPResult Command

Although not as easy to read as the
Group Policy Results information that
can be obtained using GPMC,
GPResult is a command-line tool that
allows you to create and display an
RSoP query from the command line.
It provides comprehensive
information about the operating
system, the user, and the computer.

Summary
Application of group policies can be filtered
by using Block Policy Inheritance, No
Override, permissions, and WMI filters.
WMI filters allow administrative control over
group policy implementation based on
criteria defined in the filter.
After evaluation, all filter criteria must return
a value of true for the policy to be applied.
Any criteria that return a value of false after
evaluation will prevent the policy from being
applied.

Summary
Only one WMI filter can be applied to
each GPO.
GPMC can be used to manage all
aspects of Group Policy, including the
following: creation, linking, editing,
reporting, modeling, backup, restore,
copying, importing, and scripting.
Determining effective group policies
can be accomplished using RSoP,
GPMC, or GPResult.

Summary
RSoP is an MMC snap-in that has two
modes: Planning and Logging.
Planning mode allows administrators
to simulate policy settings prior to
their deployment.
Logging mode reports on the results
of existing policies.

Summary
Delegating administrative control of
Group Policy management tasks is an
important feature when planning a
decentralized administrative
approach.
GPMC is a comprehensive tool that
simplifies delegation of all aspects of
Group Policy management.