Active
Directory Site and Services with Replication
FSMO Roles-Move and Seize theory
Active Directory Group Policy-I
FSMO Roles-Move and Seize theory
Active Directory Group Policy-I
Hello Professionals,
Today am just sharing you very small but important points for Group Policy.
1. you cannot “Block Inheritance” between Local GPOs and Active Directory GPOs. But it is correct that you set within Active Directory to inverse a Local GPO setting is always marked with importance.You can, "turn off” Local Group Policy Objects from processing. In Windows Vista and later MS version, there is a policy setting with Computer Configuration ➢ Policies ➢ Administrative Templates ➢ System ➢ Group Policy entitled Turn off Local Group Policy Object processing, which, when set to Enabled, will prevent Local Group Policy Objects from affecting the machine.
2. Local Group Policy is stored in the %windir%\system32\group-policy directory (usually C:\windows\system32\grouppolicy)
1. You can also install the GPMC using the command line:
2. Open a PowerShell prompt as an Administrator.
3. In PowerShell, type Add-WindowsFeature GPMC.
3.The Possible Settings in GPMC
a. Not Configured :“Don’t do anything” or type of “Pass through.” and in very simple way. The Setting is not configured and applied
b.Enabled When a specific policy setting is enabled, the policy will take effect.
c. Disabled : Disabled means the specific policy is marked to not to allow or allow for said objects. Hope am clear here.
In Example of Shutdown Event Tracker Group Policy, Not configured option means this is not applied, Enabled means its applied and working and finally disabled means in the domain higher
level its enabled but to specific to any servers or OU its mark as not to apply.
4. GPOs in Active Directory is like endless points of the domain called the Group Policy Objects container.
5. Using site level to implement GPOs : Users may roaming from one site to another site, and when ever login to new place they will be getting new settings and message. Until unless you dont have any security concern like an example of region wise users.Thats why its always recommended and suggested to apply the GPOs from Domain level not from site level.
6.Create hierarchy with Most Common and most unique policy. Like.There are 3 GPO's that need to be apply on 100,50 and 20 users so as per best practise apply the first policy to 100 users and put them in one OU then 50 and then 20.
7. For users to get GPOs to apply to them, Domain users must have rights
access to the GPO.
a. Read
b. Apply Group Policy (known in shorthand as the AGP rights)
By default, all Authenticated Users are granted the Read and AGP rights to all new GPOs.Until unless there is no manipulation or manual intervention.
8. GPO comments are placed in a plaintext file located here:
\\<domain>\SYSVOL\<domain>\Policies\<GPO GUID>\GPO.cmt
Individual comments for GPO settings are placed in 2 XML files for each
GPO, one for Computer Configuration and another for User Configuration.
The path is
\\<domain>\SYSVOL\<domain>\Policies\<GPO GUID>\Machine\Comment.cmtx
\\<domain>\SYSVOL\<domain>\Policies\<GPO GUID>\User\Comment.cmtx
9. Testing health of your group policy is very important in environment.There are different third party IT Audits ask to check the health for Backup and Restore process. Deleting by mistake of one group policy will not impact the environment but suppose if more than half of group policy deleted or something wrong then WHATTTT. production impact, login failures and so many issue.There are two parts of GPOs: the GPT (Group Policy Template) from Active Directory and the GPC (Group Policy Container) in SYSVOL. When a backup is performed, the GPT and GPC are combined and merged and placed as a set of files.To Take backup or delegate a group or user must have/atleast read acces to the GPO. Powershell commnad is there too for backup
Backup-Gpo –All -Path C:\GpoBackups -Comment "DomainGPODated****"
10. The maximum wait time after a move or new GPO is created in Domain
a. 30 minutes- within Active Directory sync)
b. 90 minutes- Group Policy default background refresh rate to
Domains)
c. 30 minutes- Group Policy default background refresh rate offset)
11. Policies that affect Remote Desktop Connection
1. Computer settings for Remote Desktop Services, Computer
Configuration ➢ Policies ➢ Administrative Templates ➢ Windows
Components ➢Remote Desktop Services.
2. Terminal Services clients, User Configuration ➢ Policies ➢Administrative
Templates ➢ Windows Components ➢ Remote Desktop Services.
Group Policy Topic in Active Directory is like Sea, every time you find new things, a different way to do tasks. I will be updating more on this with Same Domain Trust GPO and Cross Forest Domain GPO.
Always Learn, earn and share the knowledge. Share the blog, feedback and comment on this. I will be very happy to listen from you.
No comments:
Post a Comment