Windows Server 2003

1
Windows Server 2003?????????

• ???
• jeffl_at_ms11.hinet.net

2
What Happens When GPOs Conflict

• How conflicts are resolved
• All Group Policy Settings Apply Unless There Are
  Conflicts
• The Last Setting Processed Applies
• When settings from different GPOs in the Active
  Directory hierarchy conflict, the child container
  GPO settings apply
• When settings from GPOs linked to the same
  container conflict, the settings for the GPO
  highest in the GPO list apply
• A Computer Setting Applies When It Conflicts with
  a User Setting
• Options for modifying inheritance
• No Override (Enforce)
• Block Policy inheritance

3
Blocking the Deployment of a GPO

• Stops inheritance of all GPOs from all parent
  containers
• Cannot selectively choose which GPOs are blocked
• Cannot stop No Override

4
Enabling No Override

• No Override
• Overrides Block Inheritance and GPO conflicts
• Should be set high in the Active Directory tree
• Is applicable to links and not to GPOs
• Enforces corporate-wide rules

5
How to Configure Group Policy Enforcement
6
Attributes of a GPO Link
7
Filtering the Deployment of a GPO
8
What Is Loopback Processing?
9
What Are WMI Filters?
InstallOffice?
500 MB free disk space?
WMI Filter
Administrator
GPO
10 GB
35 GB
400 MB
750 MB
10
Example of WMI Query

• Select FROM Win32LogicalDisk WHERE (Name C
  OR Name D OR Name E) AND DriveType 3
  AND FreeSpace gt 10485760 AND FileSystem NTFS
• Note
• DriveType Value 3 is a Hard Disk
• 10MB 10,485,760 bytes

11
Controlling the Processing of Group Policy

• Synchronous and Asynchronous Processing
• By default, the processing of Group Policy is
  synchronous
• You can change the processing of Group Policy to
  asynchronous by using a Group Policy setting for
  both computers and users
• Refreshing Group Policy at Established Intervals
  of
• 5 minutes for domain controllers
• 90 minutes for member servers running Windows
  Server 2003 and for computers running Windows
  2000 XP Professional
• Processing Unchanged Group Policy Settings
• You can configure each client-side extension to
  process all applicable Group Policy settings

12
Group Policy and Slow Network Connections

• Group Policy Can Detect a Slow Link
• Group Policy Uses an Algorithm to Determine
  Whether a Link Should Be Considered Slow
• Default is 500 kbps
• Group Policy Sets a Flag to Indicate a Slow Link
  to the Client-side Extensions
• userenv.dll, dskquota.dll, fdeploy.dll,
  gptext.dll, appmgmts.dll, scecli.dll,
  iedkcs32.dll, etc.

13
Default Settings for Slow Link Processing
14
Why Specify a Domain Controller for Managing GPOs?

• When You Create a New GPO or Edit an Existing
  GPO, by Default, the Domain Controller That Holds
  the PDC Emulator Role Performs the Operation
• The Options Available to Specify a Domain
  Controller for Managing GPOs Include
• The one with the Operations Master token for the
  PDC emulator
• The one used by the Active Directory snap-ins
• Use any available domain controller
• To Specify a Domain Controller for Managing Group
  Policy Objects
• Use the DC Options command on the View menu in
  the Group Policy snap-in
• Enable a Group Policy setting that specifies
  which domain controller should be used

15
Specifying a Domain Controller for Managing Group
Policy Objects
Choose a domain controller to avoid replication
conflicts
16
What Is Group Policy Modeling?
17
What Is Group Policy Results?
18
What Is Gpupdate and Gpresult?

• Syntax of gpupdate

gpupdate /TargetComputer User /Force
/WaitValue /Logoff /Boot /Sync
Syntax of gpresult
gpresult /s Computer /u Domain\User /p
Password /user TargetUserName /scope
usercomputer /v /z