1:46 PM
windowslinuxservers
Basic explanation of Group Policy can be found here.
Group Policies are applied to computer / users objects during startup, shutdown and according to refresh interval—90 minutes by default. Gpupdate.exe command-line utility can be used to refresh Group Policy manually. Every GPO—Group Policy Object include a revision number, GPO processing is skipped if it hasn’t changed since last application. This rule doesn’t apply to login and logoff scripts within GPO since they need to be applied regardless.
GPO Processing of computer configuration
GPO is applied to a computer during startup, shutdown and according to refresh interval—90 minutes by default on members servers and 5 minutes on domain controllers. GPO is processed during startup by contacting the domain controller. GPO Processing of computer configuration can be qualified by OU—Organization Unit, security filtering—Security groups and WMI Filters – hardware or software configuration. WMI filters are advanced concept but very powerful. For example, you can apply a particular GPO to all computers in the domain that runs Server 2008 version 6.0.6001. WMI filter would be something like “select * from win32_operatingsystem where version=’ 6.0.6001’”
GPO Processing of user configuration
GPO Processing of user configuration is very simlar to computer processing. GPO is applied to a user during logon/logoff instead of startup, shutdown. GPO Processing of user configuration can be qualified by OU—Organization Unit and security filtering—Security groups
Local Computer Policy vs Active Directory Group Policy
Local Computer Policy can be found of most Windows systems. You can run gpedit.msc to open Local Computer Policy. Local Computer Policy allows configuration that is usually cannot be configured by control panel or commandline. Windows Server 2008 and Windows Vista now allow multiple local polices.
Active Directory Group Policy is applied when a computer is joined to Active Directory domain. This allows centralized management of Group Policy settings by administrator.
Server 2008 Group Policy Components:
GPO -- Group Policy Objects
Group Policy Object refers to a file/object that defines set of user configuration and computer configuration. Group Policy Management Console is used to edit Group Policy Object to define user and computer configuration.
ADM folder
This folder only exist when older GPOs are imported from administrative temples. This includes GPOs created by Windows XP, Server 2003, etc.
Group Policy Object, User folder
The user folder in Group Policy Object contains settings, msi installers, scripts and any settings that relates to the user configuration of the object.
Group Policy Object, Machine folder
The machine folder in Group Policy Object contains settings, msi installers, scripts and any settings that relates to the machine configuration of the object.
Registry.pol Files
Most settings within the GPO is configured by using registry keys. These registry keys and values are stored within registry.pol files which can exist in both user and machine folders.
Gpt.ini File
This file can be found at the root of GPO folder in SYSVOL share. This contains the revision number which tracks the changes made to the GPO. As mention above, the revision number is
used to save processing time by the client.
SYSVOL, FRS and DFSR
Active Directory stores GPO information in domain naming context partition of the NTDS database. The GPO settings are located in SYSVOL folder share of all domain controllers. The specific location is SYSVOL\yourdomain.net\Polices folder, which you will also find the GUID of the GPO. Windows Server 2003 uses FRS—File Replication Service to replicate the SYSVOL folder but Server 2008 uses DFSR—Distributed File System Replication for better efficiency. By default, intra-site replication occurs every 5 minutes between domain controllers and inter-site replication depends on your Active Directory Site link settings.
Group Policy Administrative Templates
Administrative Templates are a set of settings often used by administrators. This file can be a set of text or XML based files.
Server 2008 Central Store
This is the centralized store of administrative templates which is part of Server 2008 Group Policy infrastructure. Administrator can create GPO Central Store in SYSVOL folder to store ADMX and ADML administrative templates.
Starter GPOs
Start GPO allows storage of policy settings into a single object so it can be restored into new GPOs. This eliminates re-configuration of common settings when creating new GPOs. This also allows importing and exporting of GPOs between Active Directory forests.
Group Policy Link Enforcement
Group Policy Link Enforcement is a way to enforce a GPO even when Group Policy inheritance is blocked.
Group Policy Loopback Processing
Group Policy Loopback allows processing of both the Computer Configuration and User Configuration nodes within a policy only if one object is within linked containers.
Group Policies are applied to computer / users objects during startup, shutdown and according to refresh interval—90 minutes by default. Gpupdate.exe command-line utility can be used to refresh Group Policy manually. Every GPO—Group Policy Object include a revision number, GPO processing is skipped if it hasn’t changed since last application. This rule doesn’t apply to login and logoff scripts within GPO since they need to be applied regardless.
GPO Processing of computer configuration
GPO is applied to a computer during startup, shutdown and according to refresh interval—90 minutes by default on members servers and 5 minutes on domain controllers. GPO is processed during startup by contacting the domain controller. GPO Processing of computer configuration can be qualified by OU—Organization Unit, security filtering—Security groups and WMI Filters – hardware or software configuration. WMI filters are advanced concept but very powerful. For example, you can apply a particular GPO to all computers in the domain that runs Server 2008 version 6.0.6001. WMI filter would be something like “select * from win32_operatingsystem where version=’ 6.0.6001’”
GPO Processing of user configuration
GPO Processing of user configuration is very simlar to computer processing. GPO is applied to a user during logon/logoff instead of startup, shutdown. GPO Processing of user configuration can be qualified by OU—Organization Unit and security filtering—Security groups
Local Computer Policy vs Active Directory Group Policy
Local Computer Policy can be found of most Windows systems. You can run gpedit.msc to open Local Computer Policy. Local Computer Policy allows configuration that is usually cannot be configured by control panel or commandline. Windows Server 2008 and Windows Vista now allow multiple local polices.
Active Directory Group Policy is applied when a computer is joined to Active Directory domain. This allows centralized management of Group Policy settings by administrator.
Server 2008 Group Policy Components:
GPO -- Group Policy Objects
Group Policy Object refers to a file/object that defines set of user configuration and computer configuration. Group Policy Management Console is used to edit Group Policy Object to define user and computer configuration.
ADM folder
This folder only exist when older GPOs are imported from administrative temples. This includes GPOs created by Windows XP, Server 2003, etc.
Group Policy Object, User folder
The user folder in Group Policy Object contains settings, msi installers, scripts and any settings that relates to the user configuration of the object.
Group Policy Object, Machine folder
The machine folder in Group Policy Object contains settings, msi installers, scripts and any settings that relates to the machine configuration of the object.
Registry.pol Files
Most settings within the GPO is configured by using registry keys. These registry keys and values are stored within registry.pol files which can exist in both user and machine folders.
Gpt.ini File
This file can be found at the root of GPO folder in SYSVOL share. This contains the revision number which tracks the changes made to the GPO. As mention above, the revision number is
used to save processing time by the client.
SYSVOL, FRS and DFSR
Active Directory stores GPO information in domain naming context partition of the NTDS database. The GPO settings are located in SYSVOL folder share of all domain controllers. The specific location is SYSVOL\yourdomain.net\Polices folder, which you will also find the GUID of the GPO. Windows Server 2003 uses FRS—File Replication Service to replicate the SYSVOL folder but Server 2008 uses DFSR—Distributed File System Replication for better efficiency. By default, intra-site replication occurs every 5 minutes between domain controllers and inter-site replication depends on your Active Directory Site link settings.
Group Policy Administrative Templates
Administrative Templates are a set of settings often used by administrators. This file can be a set of text or XML based files.
Server 2008 Central Store
This is the centralized store of administrative templates which is part of Server 2008 Group Policy infrastructure. Administrator can create GPO Central Store in SYSVOL folder to store ADMX and ADML administrative templates.
Starter GPOs
Start GPO allows storage of policy settings into a single object so it can be restored into new GPOs. This eliminates re-configuration of common settings when creating new GPOs. This also allows importing and exporting of GPOs between Active Directory forests.
Group Policy Link Enforcement
Group Policy Link Enforcement is a way to enforce a GPO even when Group Policy inheritance is blocked.
Group Policy Loopback Processing
Group Policy Loopback allows processing of both the Computer Configuration and User Configuration nodes within a policy only if one object is within linked containers.
Posted in: WindowsServer
0 comments:
Post a Comment