Group Policy Management EditorTo manage domain group policies, the Group Policy Management Editor (GPME) is used and provides the same functionality as the GPOE plus additional functionality only available with this tool. One of the biggest differences is that the GPME includes not only the Policy Settings node, but also the Preferences Settings node, which is only available in domains. GPME is installed on Windows Vista and later by downloading and installing the Remote Server Administration Tools (RSAT) tools for the particular service pack and OS. On Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 OSs, you can install the Group Policy tools from the Add Features applet of Server Manager. Show Lesson 1: Maintaining Group Policy ObjectAs an experienced systems administrator pursuing certification, you have a reasonable idea of how to use Group Policy. The administration of Group Policy doesn’t just occur at the level of configuring individual policies. In large organizations with many policies, it’s necessary to have a maintenance strategy. Ensuring that important Group Policy Objects (GPOs) are backed up and recoverable is as important as backing up and recovering other critical services such as DNS and Dynamic Host Configuration Protocol (DHCP). In this lesson, you’ll learn how to back up, restore, import, and copy GPOs. You’ll also learn how to delegate the management of GPOs. Managing Group Policy ObjectsAs an experienced systems administrator, you are aware that GPOs enable you to configure settings for multiple users and computers. After you get beyond editing GPOs to configure settings, you need to start thinking about issues such as GPO maintenance. For example, if an important document is lost, you need to know how to recover it from backup. Do you know what to do if someone accidentally deletes a GPO that has hundreds of settings configured over a long period of time? The main tool you’ll use for managing GPOs is the Group Policy Management Console (GPMC), shown in Figure 5-1. You can use this console to back up, restore, import, copy, and migrate. You can also use this console to delegate GPO management tasks. There are also a substantial number of cmdlets available in the Windows PowerShell Group Policy module, including the following:
Backing up a GPO enables you to create a copy of a GPO as it exists at a specific point in time. A user must have read permission on a GPO to back it up. When you back up a GPO, the backup version of the GPO is incremented. It is good practice to back up GPOs prior to editing them so that if something goes wrong, you can revert to the unmodified GPO. To back up a GPO, perform the following steps:
You can restore a GPO using the Restore-GPO cmdlet. Restoring a GPO overwrites the current version of the GPO if one exists or re-creates the GPO if the GPO has been deleted. To restore a GPO, right-click the Group Policy Objects node in the GPMC, and click Manage Backups. In the Manage Backups dialog box, shown in Figure 5-4, select the GPO that you want to restore and click Restore. If multiple backups of the same GPO exist, you can select which version of a GPO to restore. FIGURE 5-4 Restoring a GPO from backup Import and copy GPOsImporting a GPO enables you to take the settings in a backed-up GPO and import them into an existing GPO. To import a GPO, perform the following steps:
Remember that when you import settings from a backed-up GPO, the settings in the backed-up GPO overwrite the settings in the destination GPO. Copying a GPO creates a new GPO and copies all configuration settings from the original to the new. You can copy GPOs from one domain to another. You can also use a migration table when copying a GPO to map security principals referenced in the source domain to security principals referenced in the destination domain. To copy a GPO, perform the following steps:
Fixing GPO problemsWindows Server 2012 and Windows Server 2012 R2 include command line utilities that allow you to repair GPO after you perform a domain rename or recreate default GPOs. If you need to recreate the default GPOs for a domain, use the DCGPOFix.exe command. If you perform a domain rename, you can use the GPFixup.exe command to repair name dependencies in GPOs and Group Policy links. Migrate Group Policy ObjectsWhen moving GPOs between domains or forests, you need to ensure that any domain-specific information is accounted for, so locations and security principals in the source domain aren’t used in the destination domain. You can account for these locations and security principals using migration tables. You use migration tables when copying or importing GPOs. Migration tables enable you to alter references when moving a GPO from one domain to another, or from one forest to another. An example is when you are using GPOs for software deployment and need to replace the address of a shared folder that hosts a software installation file so that it is relevant to the target domain. You can open the Migration Table Editor (MTE), shown in Figure 5-7, by right-clicking Domains in the GPMC, and clicking Open Migration Table Editor. FIGURE 5-7 Opening the MTE When you use the MTE, you can choose to populate from a GPO that is in the current domain, or choose to populate the MTE from a backed-up GPO. When you perform this action, the MTE will be populated with settings that reference local objects. If, when you perform this action, there are no results, then no local locations are referenced in the GPO that you are going to migrate. Delegate GPO managementIn larger environments, there is more than one person in the IT department. In very large organizations, one person’s entire job responsibility might be creating and editing GPOs. Delegation enables you to grant the permission to perform specific tasks to a specific user or group of users. You can delegate some or all of the following Group Policy management tasks:
Users in the Domain Admins and Enterprise Admins groups can perform all Group Policy management tasks. Users that are members of the Group Policy Creator Owners domain group can create GPOs. They also have the right to edit and delete any GPOs that they have created. You can delegate permissions to GPOs directly using the GPMC, as shown in Figure 5-8. Creating GPOsIf you want to delegate the ability for users to create GPOs, you can add them to the Group Policy Creator Owners group. You can also explicitly grant them permission to create GPOs using the GPMC. To do this, perform the following steps:
Editing GPOsTo edit a GPO, users must be either a member of the Domain Admins or Enterprise Admins group. They can edit a GPO if they created it. They can also edit a GPO if they have been given Read/Write permissions on the GPO through the GPMC. To grant a user permission to edit a GPO, perform the following steps:
Linking GPOsTo enable a user to link a GPO to a specific object, you need to edit the permission on that object. You can perform this task in the GPMC, as shown in Figure 5-10. For example, to grant a user or group permission to link a GPO to an OU, select the OU in the GPMC, select the Delegation tab, click Add, and then select the user or group to which you want to grant this permission. Modeling, results, and WMI filtersDelegating permissions to perform tasks related to Group Policy Modeling and Group Policy Results is performed at the domain level, as shown in Figure 5-11. You can delegate the ability to create WMI filters by selecting the WMI Filters node in the GPMC and granting the permission on the Delegation tab.
FIGURE 5-11 Delegating Group Policy Modeling and Group Policy Results permissions Lesson summary
Lesson reviewAnswer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
What is Group Policy in Windows Server 2012?This topic describes the new and changed functionality of the Group Policy feature in Windows Server 2012 R2 and Windows Server 2012. Group Policy is an infrastructure that enables you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
Where are group policies stored on server?The GPOs are stored in the SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 2 megabytes (MB) of hard disk space.
Where is Group Policy management located?You can find the Group Policy Management Console in the Tools menu of Microsoft Windows Server Manager. It is not a best practice to use domain controllers for everyday management tasks, so you should install the Remote Server Administration Tools (RSAT) for your version of Windows.
|