group policy - part 2 of 3 rick claus it pro advisor microsoft canada rick.claus@microsoft.com

Group Policy - Part 2 of 3

Rick ClausRick ClausIT Pro AdvisorIT Pro Advisor

Microsoft CanadaMicrosoft Canada

rick.claus@microsoft.comrick.claus@microsoft.comhttp://blogs.technet.com/rclaushttp://blogs.technet.com/rclaus

What Will We Cover?

• Advanced Group Policy management

• Deploying software with Group Policy

• Group Policy troubleshooting

Agenda

• Implementing Group Policy

• Deploying Software

• Troubleshooting Group Policy

Domain-Level Security Settings

Account Policies

Local Policies

IP Security Policies

File and Registry ACLs

Software Restriction Policies

Account Policies

Local Policies

IP Security Policies

File and Registry ACLs

Software Restriction Policies

Demo

Configuring Domain Policies

demonstration

Software Restriction Policies

Software Restriction Policies

Application started

Hash Rule

Certificate Rule

Path Rule

Internet Zone Rule

Using Software Restriction PoliciesUnrestricted

C:\WINDOWS\SYSTEM32\eventquery.vbsC:\WINDOWS\SYSTEM32\eventquery.vbsC:\WINDOWS\SYSTEM32\pagefileconfig.vbsC:\WINDOWS\SYSTEM32\pagefileconfig.vbs\\LOGIN_SRV\Scripts\CustomerScript1.vbs\\LOGIN_SRV\Scripts\CustomerScript1.vbsC:\Documents and Settings\ILUVU.txt.vbsC:\Documents and Settings\ILUVU.txt.vbs

Demo

Software Restriction Policies

demonstration

Managing Desktops

Local Folder

Shared Network Folder

Elevated privileges

Demo

Managing Desktops

demonstration

Group Policy Filtering

• Security filtering

Refines which users and computers process GPO

• WMI filtering

Filter based on attributes of target computer

Best practice: If you deny GPOs to certain users, disable Read access as well.Best practice: If you deny GPOs to certain users, disable Read access as well.

Group Policy Inheritance

• Link order

• Block inheritance

• Enforcement

• Link status

www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx

Demo

Group Policy Filtering and Inheritance

demonstration

Agenda

• Implementing Group Policy

• Deploying Software

• Troubleshooting Group Policy

Software Deployment Options

SMS

WSUSGroup Policy

Rich, granular software distributionRich, granular software distribution

Approve and distribute critical updatesApprove and distribute critical updatesTargeted software deploymentTargeted software deployment

Group Policy Software Deployment

Demo

Deploying Software with Group Policy

demonstration

Session Recap

• Domain-level security settings

• Software restriction policies

• Group Policy filtering and inheritance

• Software deployment with Group Policy

Agenda

• Implementing Group Policy

• Deploying Software

• Troubleshooting Group Policy

Use the Troubleshooting Flowchart

Does Group Policy Results lists the

policy as applied?

Yes NoIs the setting listed?

Is the GPO in the

Denied list?

1. Inheritance2. Asynchronous3. Loopback

1. Replication2. GP Refresh3. Slow Link

1. Security Filtering2. Disabled GPO3. WMI Filter

1. SOM2. GP Refresh3. Network

Yes No Yes

No

Network and Replication Issues

Intersite ReplicationSlow Link Connections

DNS

SMB and LDAP

Group Policy Troubleshooting Tools

> GPResult.exe

> GPMonitor.exe

> GPOTool.exe

> ADDiag.exe

Demo

Troubleshooting Group Policy

demonstration

Session Summary• Group Policy is a powerful tool

• Deploy software through Group Policy

• Several tools are available for troubleshooting Group Policy

For More Information

Visit TechNet at

www.microsoft.ca/technet

Rick ClausRick ClausIT Pro AdvisorIT Pro Advisor

Microsoft CanadaMicrosoft Canada

rick.claus@microsoft.comrick.claus@microsoft.comhttp://blogs.technet.com/rclaushttp://blogs.technet.com/rclaus