Pages

3/27/2011

Group Policy Notes

"Stream of conciousness" notes on Group Policies

FWIW

- either the computer settings or the user settings get applied, not both -- as one might expect.
- e.g. logging on machine in TRAINING OU - only the computer settings are applied (since user object is in another OU.)
- when appropriate - disable user or computer portion -- whichever doesn't apply.
- GP can link to domain, site, OU, local
- cannot be applied to container (e.g. builtin, computers, users)
- avoid using site GPO's.
- order of application: Local, Site, Domain, OU
- GPO components: GP Container, GP Template
- Advertise application = allows install from add/remote programs. (Publish = do the install automatically.)
-start-run dssite.msc, domain.msc, dnsmgmt.msc, winsmgmt.msc
- sysvol\[domain]\Policies (templates) - (must match) AD System\Policies container
- GUID's are universal.
- Other paths to GPT - group policy templates - both of the below point to the exact same location

c:\windows\sysvol\domain\policies

c:\windows\sysvol\sysvol\[domain]\policies
- When working directly with GPT's always use: c:\windows\sysvol\domain\policies
- GPC replicates with AD. GPT's replicate via RPC with FRS or DFSR (in 2008AD functional level)
- In 2003, ADSIEDIT shows properties and replication status of policies.
- ADM folder on sysvol is not necessary, access to them from somewhere is needed when administering.
- a copy of this folder is made for every policy - this is the vast majority of the space consumed for policies on sysvol
- versions - bit 5 from right is incremented when user policy is changed, bit 1 is incremented when computer policy is changed.
- do NOT disable default domain policy and make your own domain policy.

- If you copy the default domain policy and disable the default domain policy and work from the copy "works" but some software looks for the GUID for adjusting.
- just leave the default domain policy blank and create another policy.
- SYSVOL replication can use DFSR in 2008 functional level domain. Requires running DFSRMIG.EXE

- Local policies are saved in: c:\windows\system32\GroupPolicy
- gPLink points to the GPC, GPC points to GPT
- GPC stores version number in "VersionNumber" attribute of the GPO.
- GPT stores version number in GPT.INI file
- utility named GPOTOOL can help identify issues or problems.
- refresh interval
- DC's - 5 minutes
- Others - 90-120 minutes
- run GPRESULT /V - shows what happened last time policy was applied - uses RSOP which requires read permission for domain.

- ADPREP /DOMAINPREP /GPPREP -> sets permissions.
- Restore Domain Policies to default and resets ACLs - caution! Find KB article for caveats.
- DCGPOFIX.EXE - Win2003 & later
- RECREATEDEFPOL.EXE - Win2000
- Templates

- ADM - pre-Vista - language specific - required for each policy
- ADMX - based on XML - Vista & later
- ADML files - associated with an ADMX file - language specific portion of template.
- c:\windows\PolicyDefinitions on Vista and later machines.

- GPMC - Group Policy Management Console
- v1 - Windows XP, 2003
- v2 - Vista and later
- administer from one or the other not both.
- Go into GPMC and backup GPO's!!!!!!!!!!!!!!!!!!!!!!!!!!!
- custom ADM files must be imported.

- Using a Central Store of ADMX files: KB929841

No comments: