IT tutorials
 
Technology
 

Active Directory 2008 : Managing Group Policy Scope (part 4) - Group Policy Processing, Loopback Policy Processing

8/25/2013 11:54:41 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

6. Group Policy Processing

Now that you have learned more about the concepts, components, and scoping of Group Policy, you are ready to examine Group Policy processing closely. As you read this section, keep in mind that Group Policy is all about applying configurations defined by GPOs, that GPOs are applied in an order (site, domain, and OU), and that GPOs applied later in the order have higher precedence; their settings, when applied, override settings applied earlier. The following sequence describes the process through which settings in a domain-based GPO are applied to affect a computer or user:

  1. The computer starts, and the network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) are started. The Group Policy Client is started.

  2. The Group Policy Client obtains an ordered list of GPOs scoped to the computer.

    The order of the list determines the order of GPO processing, which is, by default, local, site, domain, and OU:

    • Local GPOs. Each computer running Windows Server 2003, Windows XP, and Windows 2000 has exactly one GPO stored locally. Computers running Windows Vista, Windows Server 2008, and later versions of Windows have multiple local GPOs.

    • Site GPOs. Any GPOs that have been linked to the site are added to the ordered list next. When multiple GPOs are linked to a site (or domain or OU), the link order, configured on the Scope tab, determines the order in which they are added to the list. The GPO that is highest on the list, with the number closest to 1, has the highest precedence and is added to the list last. It is, therefore, applied last, and its settings override those of GPOs applied earlier.

    • Domain GPOs. Multiple domain-linked GPOs are added as specified by the link order.

      Note

      DOMAIN-LINKED POLICIES ARE NOT INHERITED BY CHILD DOMAINS

      Policies from a parent domain are not inherited by a child domain. Each domain maintains distinct policy links. However, computers in several domains might be within the scope of a GPO linked to a site.

    • OU GPOs. GPOs linked to the OU highest in the Active Directory hierarchy are added to the ordered list, followed by GPOs linked to its child OU, and so on. Finally, the GPOs linked to the OU that contains the computer are added. If several group policies are linked to an OU, they are added in the order specified by the link order.

    • Enforced GPOs. These are added at the end of the ordered list, so their settings are applied at the end of the process and therefore override settings of GPOs earlier in the list and in the process. As a point of trivia, enforced GPOs are added to the list in reverse order: OU, domain, and then site. This is relevant when you apply corporate security policies in a domain-linked, enforced GPO. That GPO will be at the end of the ordered list and applied last, so its settings will take precedence.

  3. The GPOs are processed synchronously in the order specified by the ordered list. This means that settings in the local GPOs are processed first, followed by GPOs linked to the site, the domain, and the OUs containing the user or computer. GPOs linked to the OU of which the computer or user is a direct member are processed last, followed by enforced GPOs.

    As each GPO is processed, the system determines whether its settings should be applied based on the GPO status for the computer node (enabled or disabled) and whether the computer has the Allow Group Policy permission. If a WMI filter is applied to the GPO, and if the computer is running Windows XP or later, it performs the WQL query specified in the filter.

  4. If the GPO should be applied to the system, CSEs trigger to process the GPO settings. Policy settings in GPOs overwrite policies of previously applied GPOs in the following ways:

    • If a policy setting is configured (set to Enabled or Disabled) in a GPO linked to a parent container (OU, domain, or site), and the same policy setting is Not Configured in GPOs linked to its child container, the resultant set of policies for users and computers in the child container will include the parent’s policy setting. If the child container is configured with the Block Inheritance option, the parent setting is not inherited unless the GPO link is configured with the Enforced option.

    • If a policy setting is configured (set to Enabled or Disabled) for a parent container, and the same policy setting is configured for a child, the child container’s setting overrides the setting inherited from the parent. If the parent GPO link is configured with the Enforced option, the parent setting has precedence.

    • If a policy setting of GPOs linked to parent containers is Not Configured, and the child OU setting is also Not Configured, the resultant policy setting is the setting that results from the processing of local GPOs. If the resultant setting of local GPOs is also Not Configured, the resultant configuration is the Windows default setting.

  5. When the user logs on, steps 2, 3, and 4 are repeated for user settings. The client obtains an ordered list of GPOs scoped to the user, examines each GPO synchronously, and hands over GPOs that should be applied to the appropriate CSEs for processing. This step is modified if User Loopback Group Policy Processing is enabled. Loopback policy processing is discussed in the next section.

    Note

    POLICY SETTINGS IN BOTH THE COMPUTER CONFIGURATION AND USER CONFIGURATION NODES

    Most policy settings are specific to either the User Configuration or Computer Configuration node. A small handful of settings appear in both nodes. Although in most situations the setting in the Computer Configuration node overrides the setting in the User Configuration node, it is important to read the explanatory text accompanying the policy setting to understand the setting’s effect and its application.

  6. Every 90 to 120 minutes after computer startup, computer policy refresh occurs, and steps 2, 3, and 4 are repeated for computer settings.

  7. Every 90 to 120 minutes after user logon, user policy refresh occurs, and steps 2, 3, and 4 are repeated for user settings.

Note

SETTINGS MIGHT NOT TAKE EFFECT IMMEDIATELY

Although most settings are applied during a background policy refresh, some CSEs do not apply the setting until the next startup or logon event. Newly added startup and logon script policies, for example, will not run until the next computer startup or logon.

7. Loopback Policy Processing

By default, a user’s settings come from GPOs scoped to the user object in Active Directory. Regardless of which computer the user logs on to, the resultant set of policies that determine the user’s environment is the same. There are situations, however, in which you might want to configure a user differently, depending on the computer in use. For example, you might want to lock down and standardize user desktops when users log on to computers in closely managed environments such as conference rooms, reception areas, laboratories, classrooms, and kiosks. It is also important for virtual desktop infrastructure (VDI) scenarios, including remote virtual machines and Remote Desktop Services (Terminal Services).

Imagine a scenario in which you want to enforce a standard corporate appearance for the Windows desktop on all computers in conference rooms and other public areas of your office. How could you centrally manage this configuration, using Group Policy? Policy settings that configure desktop appearance are located in the User Configuration node of a GPO. Therefore, by default, the settings apply to users regardless of which computer they log on to. The default policy processing does not give you a way to scope user settings to apply to computers, regardless of which user logs on. That’s where loopback policy processing comes in.

Loopback policy processing alters the default algorithm used by the Group Policy client to obtain the ordered list of GPOs that should be applied to a user’s configuration. Instead of user configuration being determined by the User Configuration node of GPOs that are scoped to the user object, user configuration can be determined by the User Configuration node policies of GPOs that are scoped to the computer object.

The User Group Policy Loopback Processing Mode policy, located in the Computer Configuration\Policies\Administrative Templates\System\Group Policy folder in GPME, can be, like all policy settings, set to Not Configured, Enabled, or Disabled.

When enabled, the policy can specify Replace or Merge mode:

  • Replace In this case, the GPO list for the user is replaced in its entirety by the GPO list already obtained for the computer at computer startup (during step 2). The settings in the User Configuration policies of the computer’s GPOs are applied to the user. Replace mode is useful in a situation such as a classroom, where users should receive a standard configuration rather than the configuration applied to those users in a less managed environment.

  • Merge In this case, the GPO list obtained for the computer at computer startup is appended to the GPO list obtained for the user when logging on (step 5). Because the GPO list obtained for the computer is applied later, settings in GPOs on the computer’s list have precedence if they conflict with settings in the user’s list. This mode would be useful for applying additional settings to users’ typical configurations. For example, you might allow a user to receive his or her typical configuration when logging on to a computer in a conference room or reception area but replace the wallpaper with a standard bitmap and disable the use of certain applications or devices.

Note

LOOPBACK AND FILTERING

It is an underdocumented fact that when you combine loopback processing with security group filtering, the application of user settings during policy refresh uses the credentials of the computer to determine which GPOs to apply as part of the loopback processing, but the logged-on user must also have the Apply Group Policy permission for the GPO to be successfully applied.

Practice Configuring Group Policy Scope

Practice Configuring Group Policy Scope

In this practice, you follow a scenario that builds upon the GPO you created and configured in Lesson 1. In each vignette, you refine your application of Group Policy scoping. Before performing these exercises, complete the exercises in Lesson 1.

EXERCISE 1 Create a GPO with a Policy Setting That Takes Precedence over a Conflicting Setting

Imagine you are an administrator of the contoso.com domain. The CONTOSO Standards GPO, linked to the domain, configures a policy setting that requires a 10-minute screen saver timeout. An engineer reports that a critical application that performs lengthy calculations crashes when the screens saver starts, and the engineer has asked you to prevent the setting from applying to the team of engineers that use the application every day.

  1. Log on to SERVER01 as Administrator.

  2. Open the Active Directory Users And Computers snap-in and create a first-level OU called User Accounts (if one does not already exist) and a child OU called Engineers.

  3. Open Group Policy Management.

  4. Expand the console tree so that you can see the Engineers OU. Right-click the Engineers OU and choose Create A GPO In This Domain, And Link It Here.

  5. Enter the name Engineering Application Override and click OK.

  6. Expand the Engineers OU, right-click the GPO, and choose Edit.

  7. Expand User Configuration\Policies\Administrative Templates\Control Panel and then click the Personalization folder.

  8. Double-click the Screen Saver Timeout policy setting.

  9. Click Disabled, and then click OK.

  10. Close the GPME.

  11. In Group Policy Management, click the Engineers OU, and then click the Group Policy Inheritance tab.

  12. Notice that the Engineering Application Override GPO has precedence over the CONTOSO Standards GPO.

    The setting you configured, which explicitly disables the screen saver, overrides the setting in the CONTOSO Standards GPO.

EXERCISE 2 Configure the Enforced Option

You want to ensure that all systems receive changes to Group Policy as quickly as possible. To do this, you want to enable the Always Wait For The Network Group Policy setting . You do not want any administrators to override the policy; it must be enforced for all systems.

  1. In the GPMC, right-click the contoso.com domain and choose Create A GPO In This Domain, And Link It Here.

  2. Enter the name Enforced Domain Policies and click OK.

  3. Right-click the GPO and choose Edit.

  4. Expand Computer Configuration\Policies\Administrative Templates\System and then click the Logon folder.

  5. Double-click the Always Wait For The Network At Computer Startup And Logon policy setting.

  6. Select Enabled and click OK.

  7. Close the GPME.

  8. Right-click the Enforced Domain Policies GPO and choose Enforced.

  9. Select the Engineers OU, and then click the Group Policy Inheritance tab.

    Note that your enforced domain GPO has precedence even over GPOs linked to the Engineers OU. Settings in a GPO such as Engineering Application Override cannot successfully override settings in an enforced GPO.

EXERCISE 3 Configure Security Filtering

As time passes, you discover that a small number of users must be exempted from the screen saver timeout policy configured by the CONTOSO Standards GPO. You decide that it is no longer practical to use overriding settings. Instead, you will use security filtering to manage the scope of the GPO.

  1. Open the Active Directory Users And Computers snap-in and create an OU called Groups, if it does not already exist. In the Groups OU, create a global security group named GPO_CONTOSO Standards_Exceptions.

  2. In the GPMC, expand the Group Policy Objects container.

  3. Right-click the Engineering Application Override GPO and choose Delete. Click Yes to confirm your choice.

  4. In the console tree, select the CONTOSO Standards GPO in the Group Policy Objects container.

  5. On the Delegation tab, click Advanced.

  6. In the Security Settings dialog box, click Add.

  7. Type the name of the group, GPO_CONTOSO Standards_Exceptions, and click OK.

  8. In the permissions list, scroll down and select the Deny permission for Apply Group Policy. Then click OK.

  9. Click Yes to confirm your choice.

  10. Note the entry shown on the Delegation tab in the Allowed Permissions column for the GPO_CONTOSO Standards_Exceptions group.

  11. Click the Scope tab and examine the Security Filtering section.

    The default security filtering of the new GPO is that the Authenticated Users group has the Allow Apply Group Policy permission, so all users and computers within the scope of the GPO link will apply the settings in the GPO. Now you have configured a group with the Deny Apply Group Policy permission, which overrides the Allow permission. If any user requires exemption from the policies in the CONTOSO Standards GPO, you can simply add the user to the GPO_CONTOSO Standards_Exceptions group.

EXERCISE 4 Implement Loopback Policy Processing

Recently, a salesperson at Contoso, Ltd., turned on his computer to give a presentation to an important customer, and the desktop wallpaper was a picture that exhibited questionable taste on the part of the salesperson. The management of Contoso, Ltd., has asked you to ensure that the laptops used by salespeople will have no wallpaper. It is not necessary to manage the wallpaper of salespeople when they are logged on to desktop computers at the office. Because policy settings that manage wallpaper are user configuration settings, but you need to apply the settings to sales laptops, you must use loopback policy processing. In addition, the computer objects for sales laptops are scattered across several OUs, so you will use security filtering to apply the GPO to a group rather than to an OU of sales laptops.

  1. Open the Active Directory Users And Computers snap-in and create a global security group called Sales Laptops in the Groups OU. Also create an OU called Clients for client computer objects, if the Clients OU does not already exist.

  2. In the GPMC, right-click the Group Policy Objects container and choose New.

  3. In the Name box, type Sales Laptop Configuration and click OK.

  4. Right-click the GPO and choose Edit.

  5. Expand User Configuration\Policies\Administrative Templates\Desktop and then click the Desktop subfolder.

  6. Double-click the Desktop Wallpaper policy setting.

  7. Review the explanatory text in the Help box.

  8. In the Comment box, type Corporate standard wallpaper for sales laptops.

  9. In the Supported On box, review the supported versions of Windows.

  10. Select Enabled.

  11. In the Wallpaper Name box, type c:\windows\web\Wallpaper\server.jpg.

  12. Click OK.

  13. Expand Computer Configuration\Policies\Administrative Templates\System, and then click the Group Policy folder.

  14. Double-click the User Group Policy Loopback Processing Mode policy setting.

  15. Click Enabled and, in the Mode drop-down list, select Merge.

  16. Click OK and close the GPME.

  17. In the GPMC, select the Sales Laptop Configuration GPO in the Group Policy Objects container.

  18. On the Scope tab, in the Security Filtering section, select the Authenticated Users group and click Remove. Click OK to confirm your choice.

  19. Click Add in the Security Filtering section.

  20. Type the group name, Sales Laptops, and click OK.

  21. Click Add in the Security Filtering section.

  22. Type the group name, Domain Users, and click OK.

    It is an underdocumented fact that when you combine the loopback processing with security group filtering, the application of user settings during policy refresh uses the credentials of the computer to determine which GPOs to apply as part of the loopback processing, but the logged-on user must also have the Apply Group Policy permission for the GPO to be successfully applied.

  23. Right-click the Clients OU and choose Link An Existing GPO.

  24. Select Sales Laptop Configuration and click OK.

    You have now filtered a GPO so that it applies only to objects in the Sales Laptops group. You can add computer objects for sales laptops as members of the group, and those laptops will be within the scope of the GPO. The GPO configures the laptops to perform loopback policy processing in Merge mode. When any user in the domain logs on to one of the sales laptops, user configuration settings scoped to the user are applied and then user configuration settings in GPOs scoped to the computer are applied, including the Sales Laptop Configuration GPO.
 
Others
 
- Active Directory 2008 : Managing Group Policy Scope (part 3) - WMI Filters, Enabling or Disabling GPOs and GPO Nodes
- Active Directory 2008 : Managing Group Policy Scope (part 2) - Using Security Filtering to Modify GPO Scope
- Active Directory 2008 : Managing Group Policy Scope (part 1) - GPO Links, GPO Inheritance and Precedence
- Microsoft Lync Server 2010 : Enterprise Voice - Voice Routing (part 3) - Translation Rules, Export and Import Voice Configuration
- Microsoft Lync Server 2010 : Enterprise Voice - Voice Routing (part 2) - Routes, PSTN Usages, Trunk Configuration
- Microsoft Lync Server 2010 : Enterprise Voice - Voice Routing (part 1) - Dial Plan, Normalization Rules, Voice Policies
- Microsoft Lync Server 2010 : Enterprise Voice - Mediation Server Installation (part 2) - Install Server
- Microsoft Lync Server 2010 : Enterprise Voice - Mediation Server Installation (part 1) - Prerequisites
- Microsoft Lync Server 2010 : Enterprise Voice - Mediation Server Overview
- Exchange Server 2010 : Compliance and Governance
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us