Hello, Fellow system admin?
It’s been quite awhile that I wrote any article since I was busy with getting myself up and running at my new workplace, VMware.
Now that I am back on track, my complete focus is on completing the 70-410 Exam series and there are only two chapters that are left out.
You can check the complete list on the page -- Microsoft Windows Server 2012 R2 70-410 Exam- Installing and Configuring
In today’s 70-410 Exam Objective, we will be covering the below:
- Configure a Central Store.
- Manage Starter GPO’s.
- Configure GPO links.
- Configure multiple local Group Policies.
Before we go any further, let us first look at the various terminologies with respect to Group Policy Objects, so that we are familiar with them.
Group Policy Container: It is an AD object stored in the Group Policy Objects container within the domain naming content of the directory.
The Group Policy Container defines the basic attributes of the GPO but does not contain any settings.
Group Policy Template: The settings are contained in the Group Policy Template, a collection if files stored in the SYSVOL folder of each domain controller.
Moving on to the different components of the GPO, they are of two types.
Computer configuration and User configuration, as the name suggests they apply to computers and users respectively.
Although the name Group Policy Object implies that policies are linked directly to groups, this is not the case.
GPOs can be linked to sites, domains and organizational units to apply settings to all users and computers within AD DS containers.
We also need to pay careful attention on how the Group Policy is applied to the objects within the domain.
Group Policy settings are processed in the following order:
Local Group Policy Object: Each computer has one local Group Policy object attached to it. It has both computer and user settings.
Site: Any GPOs that have been linked to the site that the computer belongs to are processed next.
Domain: Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC.
Organizational Units: GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.
Administrative Templates files are divided into .admx files and language-specific .adml files for use by Group Policy administrators.
To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a Windows domain controller.
To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location (for example) on the domain controller:
and copy the content from the below location.
Now when you fire up the Group Policy Management console and try to see the changes, you will notice the below.
Starter GPOs were introduced in Windows Server 2008. A starter GPO is essentially a template for the creation of domain GPOs based on a standard collection of settings. When you create a new GPO from a starter GPO, all the settings in the starter GPO are automatically copied to the new GPO as its default settings.
When you create a new GPO from a starter GPO, all the settings in the starter GPO are automatically copied to the new GPO as its default settings.
You can also export it as a cabinet file for sharing purposes.
In this section, we will be looking at how the GPOs actually get applied in the domain and the various options available to us.
A lot of administrators get confused when it comes to the location of the Group Policy Objects.
It is important to note that the GPOs are found in the Group Policy Objects section in the Group Policy Management Console.
I have jus created the New Group Policy Object as seen above and linked it to the domain in the above example.
Group Policy Inheritance
As the previous section hinted, when you link a GPO to the domain, the GPO applies to the computers and users in every OU and child OU in the domain.
Likewise, when you link a GPO to an OU, the GPO applies to the computers and users in every child OU. This concept is called inheritance.
Group Policy Delegation
The delegation on a Group Policy object is used to provide permissions to selected users and groups to be able to edit the settings.
Computers that are part of Active Directory domain benefit a great deal when you are applying the Group Policy Objects.
This helps you create an environment which is identical and applies to all the computers which are part of the domain.
For computers which are non-domain joined or locked down machines, we can use Multiple Local Group Policies to achieve similar results.
Open an MMC console on the nondomain joined computer, and add the Group Policy Management editor snap-in.
You will have multiple options presented to you, like:
You could add the local computer, you could also another computer.
The best part is that you could also apply User configuration only by selecting a user or group on a computer.
You can see above that we have only selected User configuration for only the Administrators group on the local computer.
You most probably will never have to manage Multiple Local Group Policies as it is used only for extremely locked down computers.
That’s it in today’s section, I hope that this has been informative and thank you for reading!