Module 11: Implementing Group Policy

Contents:

Module Overview

Lesson 1: Overview of Group Policy

Lesson 2: Group Policy Processing

Lesson 3: Implementing a Central Store for Administrative Templates

Lab: Implementing Group Policy

Module Review and Takeaways

Module Overview

Maintaining a consistent computing environment across an organization is challenging.

Administrators need a mechanism to configure and enforce user and computer settings and
restrictions. Group Policy can provide that consistency by enabling administrators to manage
and apply configuration settings centrally.

This module provides an overview of Group Policy and provides details about how to
implement Group Policy.

Objectives

After completing this module, you should be able to:

• Create and manage Group Policy Objects (GPOs).

• Describe Group Policy processing.

• Implement a central store for administrative templates.

Lesson 1 : Overview of Group Policy

You can use Group Policy to control the settings of the computing environment. It is
important to understand how Group Policy functions, so you can apply Group Policy
correctly. This lesson provides an overview of Group Policy structure, and defines local and
domain-based GPOs. It also describes the types of settings available for users and groups.

Lesson Objectives
After completing this lesson, you should be able to:

• Describe the components of Group Policy.

• Describe multiple local GPOs.

• Describe storage options for domain GPOs.

• Describe GPO policies and preferences.

• Describe starter GPOs.

• Describe the process of delegating GPO management.

• Describe the process of creating and managing GPOs.

Components of Group Policy

Group Policy settings are configuration settings that allow administrators to enforce settings
by modifying the computer-specific and user-specific registry settings on domain-based
computers. You can group together Group Policy settings to make GPOs, which you can then
apply to users or computers.

GPOs
A GPO is an object that contains one or more policy settings that apply configuration setting
for users, computers, or both. GPO templates are stored in SYSVOL, and GPO container
objects are

stored in Active Directory® Domain Services (AD DS). You can manage GPOs by using the
Group Policy Management Console (GPMC). Within the GPMC, you can open and edit a
GPO by using the Group Policy Management Editor window. GPOs are linked to Active
Directory containers, and apply settings to the objects in those containers.

Group Policy Settings

A Group Policy setting is the most granular component of Group Policy. It defines a specific
configuration setting to apply to an object (a computer, a user, or both) within AD DS. Group
Policy has thousands of configurable settings. These settings can affect nearly every area of
the computing environment.
However, you cannot apply all settings to all versions of Windows Server® and Windows®
operating systems. Each new version introduces new settings and capabilities that only apply
to that specific version. If a computer has a Group Policy setting applied that it cannot process,
it simply ignores the setting.

Most policy settings have three states:

• Not Configured. The GPO does not modify the existing configuration of the particular
setting for the user or computer.

• Enabled. The policy setting is applied.

• Disabled. The policy setting is reversed.

By default, most settings are set to Not Configured.

Note: Some settings are multivalued or have text string values, and you can use them
to provide specific configuration details to apps or operating-system components. For
example, a setting might provide the URL of the home page that Windows Internet
Explorer® uses or the path to blocked apps.

The effect of a configuration change depends on the policy setting. For example, if you enable
the Prohibit Access to Control Panel policy setting, users cannot open Control Panel. If you
disable the policy setting, you ensure that users can open Control Panel. Notice the double
negative in this policy setting. You disable a policy that prevents an action, thereby allowing
the action.

Group Policy Settings Structure

There are two distinct areas of Group Policy settings:

• User settings. The settings that modify the HKey Current User hive of the registry.
• Computer settings. The settings that modify the HKEY Local Machine hive of the registry.

User and computer settings each have three areas of configuration, which the following table
describes.

Section Description

Software settings Contain software settings that you can deploy to the user or the computer. Software
that you deploy to a user is specific to that user. Software that you deploy to the
computer is available to all users of that computer.

Windows operating system Contain script settings and security settings for both user and computer, and Internet
settings Explorer maintenance settings for the user configuration.

Administrative templates Contain hundreds of settings that modify the registry to control various aspects of the
user and computer environment. Microsoft® or other vendors may create new
administrative templates, such as Microsoft Office templates, which you can
download from the Microsoft website, and then add to the Group Policy Management
Editor.

Group Policy Management Editor Window

The Group Policy Management Editor window displays the individual Group Policy settings
that are available in a GPO. The window displays the settings in an organized hierarchy that
begins with the division between computer and user settings, and then expands to show the
Computer Configuration and User Configuration nodes. The Group Policy Management
Editor window is where you configure all Group Policy settings and preferences.

Group Policy Preferences

A Preferences node is present under both the Computer Configuration and User Configuration
nodes in the Group Policy Management Editor window. The Preferences node provides even
more capabilities with which to configure the environment, and a later section in this module
details them.
Local Group Policy

All systems that are running Microsoft Windows client or server operating systems also have
available local GPOs. Local policy settings only apply to the local machine, but you can
export and import them to other computers.

New in Windows Server 2012 R2

Windows Server 2012 R2 offers several new or updated Group Policy settings and features for
computers that run Windows Server® 2012 R2 or Windows® 8.1. These settings and features
include:

• Faster processing by using the Group Policy Caching settings. These new settings allow
computers to rely on a local cache of a GPO when running in synchronous mode, which is
the default mode for Group Policy processing.

• Increased support for IPv6. New Internet Protocol version 6 (IPv6) settings include the
ability to push IPv6 printers and IPv6 virtual private network (VPN) connections to
computers. Additionally, item-level targeting is available for IPv6.

• Extended logging for Group Policy operations. The Group Policy Operational event log
contains more details of operational events, including the length of processing time and the
amount of time for downloading policies, than previous versions. This log is available at
Event Viewer\Applications and Services\Microsoft\Windows\GroupPolicy\Operational.

• Many new settings for Windows 8.1 and Windows Server 2012 R2, including settings for
managing the Start screen layout, configuring charms, and customizing background colors.

Storage of Domain GPOs

A GPO is made up of two components: a Group Policy template and a Group Policy container.
Group Policy Template

Group Policy templates are the actual collection of settings that you can change. The Group
Policy template includes files that are stored in the SYSVOL of each domain controller.
SYSVOL is in the %SystemRoot% \SYSVOL\Domain\Policies\GPOGUID path, where
GPOGUID is the globally unique identifier (GUID) of the Group Policy container. When you
create a GPO, a new Group Policy template is created in the SYSVOL folder, and a new
Group Policy container is created in AD DS.

Group Policy Container

The Group Policy container is an Active Directory object that is stored in the Active Directory
database. Each Group Policy container includes a GUID attribute that identifies the object
uniquely within AD DS. The Group Policy container defines basic attributes of the GPO, such
as links and version numbers, but it does not contain any of the settings.

By default, during a Group Policy refresh, the Group Policy client-side extensions only apply
GPO settings if the GPO has been updated.

The Group Policy client can identify an updated GPO by its version number. A GPO has a
version number that increments when a GPO settings change occurs. The GPO version
number is stored as an attribute of the Group Policy container. Additionally, it is stored in a
text file named GPT.ini, in the Group Policy Template folder. The Group Policy Client is
aware of the version number of every GPO that it has applied previously. If, during Group
Policy refresh, the Group Policy client establishes that the version number of the Group Policy
container has changed, it notifies the client-side extensions that the GPO has been updated.

When editing a GPO, the version that you are editing is the version on the domain controller
that has the primary domain controller (PDC) emulator flexible single master operations, or
FSMO, role. It does not matter what computer you are using to perform the editing, the GPMC
focuses on the PDC emulator by default. However, you can change the focus of the GPMC to
edit a version on a different domain controller.
What Are Group Policy Preferences?
Group Policy preferences are a Group Policy feature, which includes more than 20 Group
Policy extensions that expand a GPO’s range of configurable settings. Configuring these
preferences helps reduce the need for logon scripts.

Characteristics of Preferences

Group Policy preferences:

• Exist for both computers and users.

• Are not enforced, unlike Group Policy settings. Users can change the configurations that
these preferences establish.

• Can be managed through the Remote Server Administration Tools (RSAT).

• Can be applied only once at startup or during sign in, and can be refreshed at intervals.

• Are not removed when the GPO is no longer applied, unlike Group Policy settings.
However, you can change this behavior.

• Allow you to target certain users or computers by using a variety of methods, such as by the
user’s security group membership or by the operating-system version.

• Are not available for local GPOs.

• Does not have a disabled user interface, unlike a Group Policy setting.

Common Uses for Group Policy Preferences

You can configure many settings through Group Policy preferences. However, common uses
for configuring Group Policy preferences include to:

• Map network drives for users.

• Configure desktop shortcuts for users or computers.

• Set environment variables.

• Map printers.

• Set power options.

• Configure Start menus.

• Configure data sources.

• Configure Internet options.

• Schedule tasks.

What Are Starter GPOs?

Starter GPOs are templates that assist in the creation of GPOs. When creating new GPOs, you
can choose to use a starter GPO as the source. This makes it easier and faster to create
multiple GPOs with the same baseline configuration.

Available Settings

Starter GPOs contain settings from only the Administrative Templates node of either the User
Configuration section or the Computer Configuration section. The Software Settings and
Windows Settings nodes of Group Policy are not available, because these nodes involve
interaction of services, and are more complex and domain-dependent.

Exporting Starter GPOs

You can export starter GPOs to a cabinet file (.cab), and then load that .cab file into another
environment that is completely independent of the source domain or forest. By exporting a
starter GPO, you can send the .cab file to other administrators, who can use it in other areas.
For example, you might create a GPO that defines Internet Explorer security settings. If you
want all sites and domains to employ the same settings, you could export the starter GPO to
a .cab file, and then distribute it.

When to Use Starter GPOs

The most common situation in which you would use a starter GPO is when you want a group
of settings for a type of computer role. For example, you might want all corporate laptops to
have the same desktop restrictions, or you might want all file servers to have the same baseline
Group Policy settings, but you want to enable variations for different departments.

Included Starter GPOs

The GPMC includes a link to create a Starter GPO folder, which contains a number of
predefined starter GPOs. These policies provide preconfigured, security-oriented settings for
Enterprise Clients (EC), in addition to Specialized Security–Limited Functionality (SSLF)
clients for both user and computer settings on Windows Vista® and Windows XP with
Service Pack 2 (SP2) operating systems. You can use these policies as starting points when
you design security policies.

Delegating Management of GPOs

Administrators can delegate some of the Group Policy administrative tasks to other users.
These users do not have to be domain administrators; they can be users that are granted certain
rights to GPOs.

For example, a user who manages a particular organizational unit (OU) could be tasked with
performing reporting and analysis duties, while the help desk group is allowed to edit GPOs
for that OU. A third group made up of developers might oversee creation of the Windows
Management Instrumentation (WMI) filters.

The following Group Policy administrative tasks can be delegated independently:

• Creating GPOs, including creating Starter GPOs

• Editing GPOs

• Managing Group Policy links for a site, domain, or OU

• Performing Group Policy modeling analysis

• Reading Group Policy results data

• Creating WMI filters

Members of the Group Policy Creator Owners group can create new GPOs and edit or delete
GPOs that they have created.

Group Policy Default Permissions

By default, the following users and groups have full access to manage Group Policy:

• Domain Admins

• Enterprise Admins

• Creator Owner

• Local System

The Authenticated User group has Read and Apply Group Policy permissions only.

Permissions for Creating GPOs

By default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can
create new GPOs. You can use two methods to grant a group or user this right:

• Add the user to the Group Policy Creator Owners group

• Explicitly grant the group or user permission to create GPOs by using the GPMC
Permissions for Editing GPOs

To edit a GPO, the user must have both Read and Write access to the GPO. You can grant this
permission by using the GPMC.

Managing GPO Links

The ability to link GPOs to a container is a permission that is specific to that container. In the
GPMC, you can manage this permission by using the Delegation tab on the container. You can
also delegate it through the Delegation of Control Wizard in Active Directory Users and
Computers.

Group Policy Modeling and Group Policy Results

You can delegate the ability to use the reporting tools either through the GPMC or through the
Delegation of Control Wizard in Active Directory Users and Computers.

Creating WMI Filters

You can delegate the ability to create and manage WMI filters either through the GPMC or
through the Delegation of Control Wizard in Active Directory Users and Computers.

Demonstration: Creating and Managing GPOs

In this demonstration, you will see how to:

• Create a GPO by using the GPMC.

• Edit a GPO in the Group Policy Management Editor window.

• Use Windows PowerShell® to create a GPO.

Demonstration Steps Create a GPO by using the GPMC

• Sign in to LON-DC1 as Administrator with the password Pa$$w0rd, and create a policy
named Prohibit Windows Messenger.

Edit a GPO in the Group Policy Management Editor window

1. Edit the policy to prohibit the use of Windows Messenger.

2. Link the Prohibit Windows Messenger GPO to the domain.

Use Windows PowerShell® to create a GPO named Desktop

Lockdown

• In Windows PowerShell, import the grouppolicy module, and then use the following New-
GPO cmdlet:

New-GPO –Name "Desktop Lockdown"

Lesson 2: Group Policy Processing

Understanding how Group Policy is applied is the key to being able to develop a Group Policy
strategy. This lesson shows you how Group Policy is associated with Active Directory objects,
how it is processed, and how to control the application of Group Policy. After creating the
GPOs and configuring the settings that you want to apply, you must link them to containers.
GPOs are applied in a specific order, and this order can determine what settings are applied to
objects. Two default policies are created automatically, and you can use them to deliver
password and security settings for the domain and for domain controllers. You also can
control policy application by using security filtering.

Lesson Objectives
After completing this lesson, you should be able to:

• Describe a GPO link.

• Explain how to apply GPOs to containers and objects.

• Describe the Group Policy processing order.

• Describe the default GPOs.

• Describe GPO security filtering.

GPO Links
Once you have created a GPO and defined all the settings that you want it to deliver, the next
step is to link the policy to an Active Directory container. A GPO link is the logical
connection of the policy to a container. You can link a single GPO to multiple containers by
using the GPMC, including the following container types:

• Sites

• Domains

• OUs

Once you link a GPO to a container, by default the policy is applied to all of the container’s
objects and all the child containers under that parent object. This is because the default
permissions of the GPO are such that Authenticated Users have Read and Apply Group Policy
permission. You can modify this behavior by managing permissions in the GPO.
You can disable links to containers, which removes the configuration settings. You also can
delete links, which does not delete the actual GPO, only the logical connection to the
container.

You cannot link GPOs directly to users, groups, or computers. Furthermore, you cannot link
GPOs to the system containers in AD DS, including Builtin, Computers, Users, or Managed
Service Accounts. The AD DS system containers receive Group Policy settings from GPOs
that are linked to the domain level only.

Applying GPOs

Computer configuration settings are applied at startup, and then are refreshed at regular
intervals. Any startup scripts run at computer startup. The default interval is every 90 minutes,
but this is configurable. The exceptions to this default interval are domain controllers, which
have their settings refreshed every five minutes.

User settings are applied at logon and are refreshed at regular, configurable intervals. The
default for this is 90 minutes. Prior to Windows 8.1 and Windows Server 2012 R2, all logon
scripts run at sign-in. By default, in Windows 8.1 and Windows Server 2012 R2, logon scripts
run five minutes after sign-in. You can use Group Policy to remove this delay by modifying
the Computer Configuration\Policies\Administrative Templates\System \Group
Policy\Configure Logon Script Delay setting.
 Note: A number of user settings require two sign-ins before the user sees the effect of
the GPO. This is because multiple users signing in to the same computer use cached
credentials to speed up sign-ins. This means that, although the policy settings are
delivered to the computer, the user is signed in already. Therefore, the settings do not
take effect until the next time the user signs in. The Folder Redirection setting is an
example of this.

You can change the refresh interval by configuring a Group Policy setting. For computer
settings, the refresh interval setting is found in the Computer
Configuration\Policies\Administrative Templates \System\Group Policy node. For user
settings, the refresh interval is found at the corresponding settings under User Configuration.
An exception to the refresh interval is the security settings. The security settings section of the
Group Policy is refreshed at least every 16 hours, regardless of the interval that you set for the
refresh interval.

You also can refresh Group Policy manually. The command-line tool, Gpupdate, refreshes
and delivers any new Group Policy configurations. The Gpupdate /force command refreshes
all Group Policy settings. There also is a new Windows PowerShell Invoke-Gpupdate
cmdlet, which performs the same function.

A new feature in Windows Server 2012 and in Windows 8 is Remote Policy Refresh. This
feature allows administrators to use the GPMC to target an OU and force Group Policy refresh
on all of its computers and their currently signed-in users. To force a Group Policy refresh,
right-click any OU, and then click Group Policy Update. The update occurs within 10 minutes.

Group Policy Processing Order

GPOs are not applied simultaneously. Rather, they are applied in a logical order, and GPOs
that are applied later in the process overwrite any conflicting policy settings that were applied
earlier.

GPOs are applied in the following order:

1. Local GPOs. Local GPOs are processed first. Computers that are running Windows
operating systems already have a configured local Group Policy.

2. Site GPOs. Policies that are linked to sites are processed next.

3. Domain GPOs. Policies that are linked to the domain are processed next. There are often
multiple polices at the domain level. These policies are processed in order of preference.

4. OU GPOs. Policies linked to OUs are processed next. These policies contain settings that
are unique to the objects in that OU. For example, the Sales users might have special
required settings. You can link a policy to the Sales OU to deliver those settings.

5. Child OU policies. Any policies that are linked to child OUs are processed last.

Objects in the containers receive the cumulative effect of all polices in their processing order.
In the case of a conflict between settings, the last policy applied takes effect. For example, a
domain-level policy might restrict access to registry editing tools, but you could configure an
OU-level policy and link it to the IT OU to reverse that policy. Because the OU-level policy is
applied later in the process, access to registry tools would be available.

Note: Other methods such as Enforcement and Inheritance Blocking can change the
effect of policies on containers.

If multiple policies are applied at the same level, the administrator can assign a preference
value to control the order of processing. The default preference order is the order in which the
policies were linked.

The administrator also can disable the user or computer configuration of a particular GPO. If
one section of a policy is empty, you should disable it to speed up policy processing. For
example, if there is a policy that only delivers user desktop configuration, the administrator
could disable the computer side of the policy.
What Are Multiple Local GPOs?
In Windows operating systems prior to Windows Vista, there was only one available user
configuration in the local Group Policy. That configuration was applied to all users who
logged on from that local computer. This is still true, but Windows Vista and newer Windows
client operating systems, and Windows Server 2008 and newer Windows Server operating
systems, have an added feature: multiple local GPOs. Since Windows 8 and Windows Server
2012, you also can have different user settings for different local users, but this is only
available for users’ configurations that are in Group Policy. In fact, there is only one set of
computer configurations available that affects all users of the computer.

Since Windows 8 and Windows Server 2012, Computers that run Windows provide this
ability with the following three layers of local GPOs:

• Local Group Policy (contains the computer configuration settings)

• Administrators and Non-Administrators Local Group Policy

• User-specific Local Group Policy

Note: The exception to this feature is domain controllers. Due to the nature of their
role, domain controllers cannot have local GPOs.

How the Layers Are Processed

The layers of local GPOs are processed in the following order:

1. Local Group Policy

2. Administrators and Non-Administrators Group Policy

3. User-specific Local Group Policy

With the exception of the Administrator or Non-Administrator categories, it is not possible to
apply local GPOs to groups, but only to individual local user accounts. Domain users are
subject to the local Group Policy, or to the Administrator or Non-Administrator settings, as
appropriate.

Note: Domain administrators can disable processing local GPOs on clients that are
running Windows client operating systems and Windows Server operating systems by
enabling the Turn Off Local Group Policy Objects Processing policy setting.

What Are the Default GPOs?

During the installation of the AD DS role, two default GPOs are created: Default Domain
Policy, and Default Domain Controllers Policy.

Default Domain Policy

The Default Domain Policy is linked to the domain and affects all security principals in the
domain. It contains the default password policy settings, the account lockout settings, and the
Kerberos protocol. As a best practice, this policy should not have other settings configured. If
you need to configure other settings to apply to the entire domain, then you should create new
policies to deliver the settings, and then link those policies to the domain.

Note: Currently, fine-grained password policies are the typical enterprise method of
enforcing password policies and account lockout settings, although they are beyond
the scope of this module.

Default Domain Controllers Policy

The Default Domain Controllers Policy is linked to the Domain Controllers OU, and should
only affect domain controllers. This policy provides auditing settings and user rights, and you
should not use it for other purposes.
GPO Security Filtering
By nature, a GPO applies to all the security principals in the container, and all child containers
below the parent. However, you might want to change that behavior and have certain GPOs
apply only to particular security principals. For example, you might want to exempt certain
users in an OU from a restrictive desktop policy. You can accomplish this through security
filtering.

Each GPO has an access control list (ACL) that defines permissions to that GPO. The default
permission is for Authenticated Users to have the Read and Apply Group Policy permissions
applied.

By adjusting the permissions in the ACL, you can control which security principals receive
permission to have the GPO settings applied. There are two approaches that you can take to do
this:

• Deny access to the Group Policy.

• Limit permissions to Group Policy.

Note: The Authenticated Users group includes all user and computer accounts that
have authenticated to AD DS.

Deny Access to Group Policy

If most security principals in the container should receive the policy settings but some should
not, then you can exempt particular security principals by denying them access to the Group
Policy. For example, you might have a Group Policy that all the users in the Sales OU should
receive except the Sales Managers group. You can exempt that group (or user) by adding that
group (or user) to the ACL of the GPO, and then setting the permission to Deny.
Limit Permissions to Group Policy

Alternatively, if you have created a GPO that you want to apply only to a few security
principals in a container, you can remove the Authenticated Users group from the ACL, add
the security principals that should receive the GPO settings, and then grant the security
principals the Read and Apply Group Policy permissions. For example, you might have a
GPO with computer configuration settings that should only apply to laptop computers. You
could remove the Authenticated Users group from the ACL, add the computer accounts of the
laptops, and then grant the security principals the Read and Apply Group Policy permission.

The ACL of a GPO is accessed in the GPMC by selecting the GPO in the Group Policy Object
folder, and then clicking the Delegation>Advanced tab.

Note: As a best practice, you should never deny access to the Authenticated User
group. If you do, then security principals would never receive the GPO settings.

Discussion: Identifying Group Policy Application

For this discussion, review the AD DS structure in the graphic, read the scenario, and then
answer the questions on the slide.

Scenario

The following illustration represents a portion of the A. Datum Corporation’s AD DS

structure, which contains the Sales OU with its child OUs and the Servers OU.
• GPO1 is linked to the Adatum domain container. The GPO configures power options that
turn off the monitors and disks after 30 minutes of inactivity, and restricts access to registry
editing tools.

• GPO2 has settings to lock down the desktops of the Sales Users OU, and configure printers
for Sales Users.

• GPO3 configures power options for laptops in the Sales Laptops OU.

• GPO4 configures a different set of power options to ensure that the servers never go into
power save mode.

Some users in the Sales OU have administrative rights on their computers, and have created
local policies to grant access specifically to Control Panel.

Discussion Questions

Based on this scenario, answer the following questions:

 Question: What power options will the servers in the Servers OU receive?

Question: What power options will the laptops in the Sales Laptops OU receive?

Question: What power options will all other computers in the domain receive?

Question: Will users in the Sales Users OU who have created local policies to grant
access to Control Panel be able to access Control Panel?

Question: If you needed to grant access to Control Panel to some users, how would you
do it?

Question: Can you apply GPO2 to other department OUs?

Demonstration: Using Group Policy Diagnostic Tools

In this demonstration, you will see how to:

• Use Gpupdate to refresh Group Policy.

• Use the Gpresult cmdlet to output the results to an HTML file.

• Use the Group Policy Modeling Wizard to test the policy.

Demonstration Steps Use Gpupdate to refresh Group Policy

• On LON-DC1, use Gpupdate to refresh the GPOs.

Use the Gpresult cmdlet to output the results to an HTML file

1. Use Gpresult /H to create an HTML file that displays the current GPO settings.

2. Open the HTML report and review the results.

Use the Group Policy Modeling Wizard to test the policy

• Use the Group Policy Modeling Wizard to simulate a policy application for users in the
Managers OU who sign in to any computer.

Lesson 3: Implementing a Central Store for

Administrative Templates

Larger organizations might have many GPOs with multiple administrators that manage them.
When an administrator edits a GPO, the template files are pulled from the local workstation.
The central store provides a single folder in SYSVOL that contains all of the templates
required to create and edit GPOs.

This lesson discusses the files that make up the templates, and covers how to create a central
store location to provide consistency in the templates that administrators use.

Lesson Objectives
After completing this lesson, you should be able to:

• Describe the central store.

• Describe administrative templates.

• Describe how administrative templates work.

• Describe managed and unmanaged policy settings.

What Is the Central Store?
If your organization has multiple administration workstations, there could be potential issues
when editing GPOs. If you do not have a central store that contains the template files, then the
workstation from which you are editing will use the .admx (ADMX) and .adml (ADML) files
that are stored in the local PolicyDefinitons folder. If different administration workstations
have different operating systems or are at different service pack levels, there might be
differences in the ADMX and ADML files. For example, the ADMX and ADML files that are
stored on a workstation running Windows 7 with no service pack installed might not be the
same as the files that are stored on a domain controller running Windows Server 2012. This
could lead to administrators not seeing the same settings in a GPO.

The central store addresses this issue. The central store provides a single point from which
administration workstations can download the same ADMX and ADML files when editing a
GPO. The central store is detected automatically by Windows operating systems (Windows
Vista or newer or Windows Server 2008 or newer). Because of this automatic behavior, the
local workstation that the administrator uses to perform administration always checks to see if
a central store exists before loading the local ADMX and ADML files in the Group Policy
Management Editor window. When the local workstation detects a central store, it then
downloads the template files from there. In this way, there is a consistent administration
experience among multiple workstations.

Creating and Provisioning the Central Store

You must create and provision the central store manually. First you must create a folder on a
domain controller, name the folder PolicyDefinitions, and store the folder at
C:\Windows\SYSVOL\sysvol \{Domain Name}\Policies\. This folder is now your central
store. You must then copy all the contents of the C:\Windows\PolicyDefinitions folder to the
central store. The ADML files in this folder also are in a language-specific folder, such as en-
US.
What Are Administrative Templates?

An administrative template is made up of two XML files types:

• ADMX files that specify the registry setting to change. AMDX files are language-neutral.

• ADML files that generate the user interface to configure the Administrative Templates
policy settings in the Group Policy Management Editor window. ADML files are language-
specific.

ADMX and ADML files are stored in the %SystemRoot%\PolicyDefinitions folder or in the
central store. You can also create your own custom administrative templates in XML format.
Administrative templates that control Microsoft Office products (such as Office Word, Office
Excel and Office PowerPoint) are also available from the Microsoft website.

Administrative templates have the following characteristics:

• They are organized into subfolders that house configuration options for specific areas of the
environment, such as network, system, and Windows components.

• The settings in the Computer section edit the HKEY_LOCAL_MACHINE registry hive,
and settings in the User section edit the HKEY_CURRENT_USER registry hive.

•
 Some settings exist for both User and Computer. For example, there is a setting to prevent
Windows Messenger from running in both the User and the Computer templates. In case of
conflicting settings, the Computer setting prevails.

• Some settings are available only to certain versions of Windows operating systems.
Double-clicking the settings displays the supported versions for that setting. The system
ignores any setting that an older Windows operating system cannot process.

ADM Files
Prior to Windows Vista, administrative templates had an .adm file extension (ADM). ADM
files were language-specific, and were difficult to customize. ADM files are stored in
SYSVOL as part of the Group Policy template. If an ADM file is used in multiple GPOs, then
the file is stored multiple times. This increases the size of SYSVOL, and therefore increases
the size of Active Directory replication traffic.

How Administrative Templates Work

Administrative Templates have settings for almost every aspect of the computing
environment. Each setting in the template corresponds to a registry setting that controls an
aspect of the computing environment. For example, when you enable the setting that prevents
access to Control Panel, this changes the value in the registry key that controls that.

The following table details the organization of the Administrative Templates node.

Section Nodes

Computer settings
• Control Panel

• Network

• Printers
 Section Nodes
• System

• Windows Components

• All Settings

User settings
• Control Panel

• Desktop

• Network

• Shared Folders

• Start Menu and Taskbar

• System

• Windows Components

• All Settings

Most of the nodes contain multiple subfolders that enable you to organize settings even further
into logical groupings. Even with this organization, finding the setting that you need might be
a daunting task.

To help you locate settings in the All Settings folder you can filter the entire list of settings in
either the computer or the user section. The following filter options are available:

• Managed or unmanaged

• Configured or not configured

• Commented

• By keyword

• By platform

You can also combine multiple criteria. For example, you could filter to find all the configured
settings that apply to Internet Explorer 10 by using the keyword ActiveX.

Managed and Unmanaged Policy Settings

There are two types of policy settings: managed and unmanaged. All policy settings in a
GPO’s Administrative Templates are managed policies. The Group Policy service controls the
managed policy settings and removes a policy setting when it is no longer within scope of the
user or computer. The Group Policy service does not control unmanaged policy settings.
These policy settings are persistent. The Group Policy service does not remove unmanaged
policy settings.

Managed Policy Settings

A managed policy setting has the following characteristics:

• The user interface (UI) is locked, so that a user cannot change the setting. Managed policy
settings result in disabling of the appropriate UI. For example, if you configure the desktop
wallpaper through a Group Policy setting, then those settings are grayed out in the user’s
local UI.

• Changes are made in the restricted areas of the registry to which only administrators have
access. These reserved registry keys are:

o HKLM\Software\Policies (computer settings)

o HKCU\Software\Policies (user settings)

o HKLM\Software\Microsoft\Windows\Current Version\Policies (computer settings)

 o HKCU\Software\Microsoft\Windows\Current Version\Policies (user settings)

• Changes made by a Group Policy setting and the UI lockout are released if the user or
computer falls out of scope of the GPO. For example, if you delete a GPO, managed policy
settings that had been applied to a user are released. Typically, the setting then resets to its
previous state. Also, the UI interface for the setting is enabled.

Unmanaged Policy Settings

In contrast, an unmanaged policy setting makes a change that is persistent in the registry. If the
GPO no longer applies, the setting remains. This is often called tattooing the registry—in
other words, making a permanent change. To reverse the effect of the policy setting, you must
deploy a change that reverts the configuration to the desired state. Additionally, an unmanaged
policy setting does not lock the UI for that setting.

By default, the Group Policy Management Editor window does not show unmanaged policy
settings to discourage administrators from implementing a configuration that is difficult to
revert. Many of the settings that are available in Group Policy preferences are unmanaged
settings.

Lab: Implementing Group Policy

Scenario

A. Datum Corporation is a global engineering and manufacturing company with a head office
based in

London, England. An IT office and a data center are located in London to support the London
location and other locations. A. Datum has recently deployed a Windows Server 2012
infrastructure with Windows 8 clients.
In your role as a member of the server support team, you help to deploy and configure new
servers and services into the existing infrastructure based on the instructions given to you by
your IT manager.

Your manager has asked you to create a central store for ADMX files to ensure that everyone
can edit GPOs that have been created with customized ADMX files. You also need to create a
starter GPO that includes Internet Explorer settings, and then configure a GPO that applies
GPO settings for the Marketing department and the IT department.

Objectives
After completing this lab, you should be able to:

• Configure a central store.

• Create GPOs.

Lab Setup

Estimated Time: 45 minutes

Virtual machines 20410D-LON-DC1

20410D-LON-CL1

User name Adatum\Administrator

Password Pa$$w0rd

Lab Setup Instructions

For this lab, you will use the available virtual machine environment. Before you begin the lab,
you must complete the following steps:
1. On the host computer, start Hyper-V Manager.

2. In Hyper-V® Manager, click 20410D-LON-DC1. In the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.

4. Sign in by using the following credentials:

o User name: Adatum\Administrator

o Password: Pa$$w0rd

5. Repeat steps 2 and 3 for 20410D-LON-CL1. Do not sign in until directed to do so.

Exercise 1: Configuring a central store

Scenario

A. Datum recently implemented a customized ADMX template to configure a program. A

colleague

obtained the ADMX files from the vendor before creating the GPO with the configurations
settings. The settings were applied to the program as expected.

After implementation, you noticed that you are unable to modify the program’s settings in the
GPO from any location other than the workstation that was used originally by your colleague.
To resolve this issue, your manager has asked you to create a central store for administrative
templates. After you create the central store, your colleague will copy the vendor ADMX
template from the workstation into the central store.

The main tasks for this exercise are as follows:

1. View the location of administrative templates in a GPO.

2. Create a central store.

3. Copy administrative templates to the central store.

4. Verify the administrative template location in GPMC.

Task 1: View the location of administrative templates in a GPO

1. Sign in to LON-DC1 as Administrator with the password Pa$$w0rd.

2. Start the Group Policy Management Console.

3. In the Group Policy Object folder, open the Default Domain Policy, and then view the
location of the administrative templates.

Task 2: Create a central store

1. Open File Explorer, and then browse to

C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.

2. Create a folder to use for the central store, with the name PolicyDefinitions.

Task 3: Copy administrative templates to the central store

• Copy the contents of the default PolicyDefinitions folder located at

C:\Windows\PolicyDefinitions to the new PolicyDefinitions folder located at
C:\Windows\SYSVOL\sysvol\Adatum.com\Policies.

Task 4: Verify the administrative template location in GPMC

1. In the Group Policy Management Editor window, verify that the ADMX files in the
Administrative Templates folder have been retrieved from the central store.

2. Close the Group Policy Management Editor window.

Results: After completing this exercise, you should have configured a central store.

Exercise 2: Creating GPOs

Scenario

After a recent meeting of the IT Policy committee, management has decided that A. Datum
will use Group Policy to restrict user access to the General page of Internet Explorer.

Your manager has asked you to create a starter GPO that can be used for all departments, with
default restriction settings for Internet Explorer. You then need to create the GPOs that will
deliver the settings for members of all departments except for the IT department.

The main tasks for this exercise are as follows:

1. Create a Windows Internet Explorer Restriction default starter GPO.

2. Configure the Internet Explorer Restriction starter GPO.

3. Create an Internet Explorer Restrictions GPO from the Internet Explorer Restrictions
starter GPO.

4. Test the GPO for Domain Users.

5. Use security filtering to exempt the IT Department from the Internet Explorer
Restrictions policy.

6. Test the GPO app for IT department users.

7. Test the Application of the GPO for other domain users.

Task 1: Create a Windows Internet Explorer Restriction default starter GPO

1. Open the GPMC, and then create a starter GPO named Internet Explorer Restrictions.

2. Type a comment that states This GPO disables the General page in Internet Options.

Task 2: Configure the Internet Explorer Restriction starter GPO

1. Configure the starter GPO to disable the General page of Internet Options, and then
name it Internet Explorer Restrictions.

Hint: To select all the content, click in the details pane, and then press CTRL+A.

2. Close the Group Policy Management Editor window.

Task 3: Create an Internet Explorer Restrictions GPO from the Internet Explorer
Restrictions starter GPO

• Create a new GPO named IE Restrictions that is based on the Internet Explorer
Restrictions starter GPO, and then link it to the Adatum.com domain.

Task 4: Test the GPO for Domain Users

1. Sign in to LON-CL1 as Adatum\Brad with the password Pa$$w0rd.

2. Open Control Panel.

3. Attempt to change your home page.

4. Open Internet Options to verify that the General tab has been restricted.

5. Sign out from LON-CL1.

Task 5: Use security filtering to exempt the IT Department from the Internet
Explorer Restrictions policy

1. On LON-DC1, open the GPMC.

2. Configure security filtering on the Internet Explorer Restrictions policy to deny access
to the IT department.

Task 6: Test the GPO app for IT department users

1. Switch to LON-CL1.

2. Sign in to LON-CL1 as Brad with the password Pa$$w0rd.

3. Open Control Panel.

4. Attempt to change your home page. Verify that the Internet Properties dialog box
opens to the General tab, and all settings are available.

5. Sign out from LON-CL1.

Task 7: Test the Application of the GPO for other domain users

1. Sign in to LON-CL1 as Boris with the password Pa$$w0rd.

2. Open Control Panel.

3. Attempt to change your home page.

4. Open Internet Options to verify that the General tab has been restricted.

5. Sign out from LON-CL1.

Results: After completing this lab, you should have created a GPO.

Lab Review Questions

Question: What is the difference between ADMX and ADML files?

Question: The Sales Managers group should be exempted from the desktop lockdown
policy that is being applied to the entire Sales OU. All sales user accounts and sales
groups reside in the Sales OU. How would you exempt the Sales Managers group?

Question: What Windows command can you use to force the immediate refresh of all
GPOs on a client computer?

Prepare for the next module

After you finish the lab, revert the virtual machines to their initial state by completing the
following steps:

1. On the host computer, start Hyper-V Manager.

2. In the Virtual Machines list, right-click 20410D-LON-DC1, and then click Revert.

3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20410D-LON-CL1.

Module Review and Takeaways

Review Questions
Question: What are some of the advantages and disadvantages of using site-level GPOs?

Question: You have a number of logon scripts that map network drives for users. Not all
users need these drive mappings, so you must ensure that only the desired users receive
the mappings. You want to move away from using scripts. What is the best way to map
network drives for selected users without using scripts?

Best Practices
The following are recommended best practices:

• Do not use the Default Domain and Default Domain Controllers policies for uses other than
their default uses. Instead, create new policies.

• Limit the use of security filtering and other mechanisms that make diagnostics more
complex.

• If they have no settings configured, disable the User or Computer sections of policies.

• If you have multiple administration workstations, create a central store.

• Add comments to your GPOs to explain what the policies are doing.

• Design your OU structure to support Group Policy application.

Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip

Common Issue Troubleshooting Tip
A user is experiencing abnormal
behavior on their workstation.

All users in a particular OU are

having issues, and the OU has
multiple GPOs applied.

Tools

Tool Use Where to find it

Group Policy Management Console Controls all aspects of Group Policy In Server Manager, on the Tools menu
(GPMC)

Group Policy Management Editor Configure settings in GPOs Accessed by editing any GPO
snap-in

Resultant Set of Policy (RSoP) Determine what settings are In the GPMC
applying to a user or computer

Group Policy Modeling Wizard Test what would occur if settings In the GPMC
were applied to users or computers,
prior to actually applying the
settings

Local Group Policy Editor Configure Group Policy settings Accessed by creating a new Microsoft
that apply only to the local Management Console (MMC) on the
computer local computer, and adding the Group
Policy Management Editor snap-in