What GPOs CAN and CAN'T do
TheDonger
Member Posts: 26 ■□□□□□□□□□
Hey all,
Thinking I'm going to man up and go in this week for the test, so expect a flurry of confused and annoying posts from me in the next few days.
A lot of my test questions recently have been throwing me curve balls about GPOs. Every time I think 'oh, the easiest way to accomplish this with the least administrative effort would be assigning a GPO to an OU', and then the answer will be some tricky thing I was unprepared for.
So here's my list so far of what GPOs can and can't do. I'm trying to be as specific as possible.
Can
1. Point Users to WSUS
Can't
1. Be tied to groups
2. Enforce software install policy
3. Enforce expiration updates
4. Configure roaming profile location
5. Can't enforce permissions
Next up: figuring out groups, which is KILLING me.
Thinking I'm going to man up and go in this week for the test, so expect a flurry of confused and annoying posts from me in the next few days.
A lot of my test questions recently have been throwing me curve balls about GPOs. Every time I think 'oh, the easiest way to accomplish this with the least administrative effort would be assigning a GPO to an OU', and then the answer will be some tricky thing I was unprepared for.
So here's my list so far of what GPOs can and can't do. I'm trying to be as specific as possible.
Can
1. Point Users to WSUS
Can't
1. Be tied to groups
2. Enforce software install policy
3. Enforce expiration updates
4. Configure roaming profile location
5. Can't enforce permissions
Next up: figuring out groups, which is KILLING me.
Comments
-
undomiel Member Posts: 2,818Actually you can do security filtering on groups. Assign your GPO at the root and then remove the default security filtering and add in whatever group you're wishing to use for this GPO. It is a very useful technique to get around some otherwise hairy group policy requirements.
Group Policy can also certainly do a lot more than direct people to the WSUS server. I'd recommend jumping in and playing around with them. There is a lot you can do for security and locking down workstations and user accounts.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
TheDonger Member Posts: 26 ■□□□□□□□□□Actually you can do security filtering on groups. Assign your GPO at the root and then remove the default security filtering and add in whatever group you're wishing to use for this GPO. It is a very useful technique to get around some otherwise hairy group policy requirements.
Group Policy can also certainly do a lot more than direct people to the WSUS server. I'd recommend jumping in and playing around with them. There is a lot you can do for security and locking down workstations and user accounts.
That's true. You mean on the DC root?
I was really just trying to make a simplified checklist for the sake of study, but GPOs are great for publishing software and doing policy application in a uniform manner. -
Slowhand Mod Posts: 5,161 ModThat "Can" list could go on for miles. The best thing you can do is to look at all the different settings, play around with a lab-environment, and really get an idea of what GPOs are capable of. Reading is one thing, but it won't really click until you play around with the actual software. (And keep in mind, the number of settings you can enforce in Windows Server 2003 pales in comparison to the Everest-sized mountain of settings they've added to Server 2008, so start getting familiar with 'em now.)
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
Claymoore Member Posts: 1,637That "Can" list could go on for miles.
In Windows Server 2008, you can use Group Policy to centrally manage a greater number of features and component behaviors. The number of Group Policy settings has increased from approximately 1,700 in Windows Server 2003 with Service Pack 1 (SP1) to approximately 2,400 in Windows Server 2008.
Group Policy
That would be a long list, and that's before you consider the flexibility of GP Preferences in Server 2008. Group Policy is also extensible and you can either add in standard templates for applications like Office 2003 or create your own templates. Do a search and you might be surprised what is available in an adm template - Google toolbar settings, HP Universal Print Driver, Windows Desktop Search, even adm templates for PowerShell:
http://www.microsoft.com/downloads/details.aspx?FamilyID=2917a564-dbbc-4da7-82c8-fe08b3ef4e6d&displaylang=en&Hash=UNIuUY%2bPsaYIFGF0oQSGKeYIMD1Qr3xvPUypr2614stn9%2fDOuz7omlh89jAqyJTZfpocnS2koSf1V1rHPE72WA%3d%3d
With PolicyPak you can easily make your own GP templates:
Home
Group Policy is really only limited by what is possible with the Windows Registry. -
undomiel Member Posts: 2,818PolicyPak looks interesting. I always found it a pain to build my own templates. The Office ones are a must, I wish they would be distributed with Server 2003/2008 itself.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
-
gravyjoe Member Posts: 260Another thing that GPO's can do is be applied to OU's (Organizational Units). This can be confusing, since GPO's can involve groups. I'll try to explain.
With groups, you can apply certain rules within a GPO to a group (for example: Load and Unload Device Drivers is assigned to Administrators by default, but you can add or delete groups from this rule.)
With Organizational Units, you can apply a whole GPO to an OU.The biggest risk in life is not taking one. -
aquageek Member Posts: 152Another thing that GPO's can do is be applied to OU's (Organizational Units). This can be confusing, since GPO's can involve groups. I'll try to explain.
With groups, you can apply certain rules within a GPO to a group (for example: Load and Unload Device Drivers is assigned to Administrators by default, but you can add or delete groups from this rule.)
With Organizational Units, you can apply a whole GPO to an OU.
Yeah, I've never understood why they're called GROUP Policy Objects when they can't be linked to groups directly. Seems to me they should be called OUPO!You are the systems administrator for a large enterprise that has decided to place computers in the lobby for access to public company information. On Tuesday morning Rooslan storms into your office screaming, "what the hell is this? In the last question I was the systems administrator. Now I am only a "Backup Operator"? This **** is crazy!" -
aquageek Member Posts: 152With groups, you can apply certain rules within a GPO to a group (for example: Load and Unload Device Drivers is assigned to Administrators by default, but you can add or delete groups from this rule.)
And isn't that a "user right" not a GPO?You are the systems administrator for a large enterprise that has decided to place computers in the lobby for access to public company information. On Tuesday morning Rooslan storms into your office screaming, "what the hell is this? In the last question I was the systems administrator. Now I am only a "Backup Operator"? This **** is crazy!"