—GPO (Group Policy Object)
//Policies take priority over preferences
//Preferences can apply defaults once and then not override again. (eg file extensions)
Machine policies are applied to machine. Linked OU must contain machines.
User polices are applied to user.Linked OU must contain Users
Users and computers are not OU’s and as such cannot have GPO’s linked to them.
If a GPO is linked to the parent GPO then all the children OU’s also have that GPO applied
If there is a computer GPO setting and a User GPO setting the computer side always over-rides the User configuration.
Sometimes we have conflicting GPO object values at different OU hierachy.
Flows down, from the root OU to the children OU. Children OUs are run last and over-ride
parent OU values. Computer GPO Object Configuration still takes precedence over user GPO objects
Policies are stored under the shared folder sysvol
C:\Windows\Sysvol\sysvol\Cisco.com\Polices
C:\Windows\Sysvol\domain\Polcies
Administrative Templates
This is the ability to add in additional GPO settings for example office
Dump the admx + en-US files downlaoded in the following directory
C:\windows\PolicyDefinitions
—Grant standard user access to create a link GPO
– Install the RSAT tools on the client host machine
– Add User to Group Policy Creator Owners AD group (Creating new GPO’s)
– In AD -> Right click OU -> Delegation -> Grant the ability to link/unlink GPO’s
—GPO Refresh Interval
90 – 120 minutes update Group policies
Domain controllers refresh GPO’s every 5 minutes on their OS server
—GPO Delegation
If we want to exclude specific user from receive specific GPO’s we can click
GPO -> Delegation -> Add user
Denied “Apply this group policy
Alternatively we can filter out WMI users
—Block Inheritance
This will Ignore ALL parent OU GPOs from flowing down into the selected child OU
—Enforced GPO
This will push a GPO to child objects, even if block inheritance is enabled on an OU.
—Group Policy Results
When you open the GPO Management Console right down the bottom we have “Group Policy Results”
By inputing a user and computer we can quickly see what GPO’s are being applied.
OR
gpresult /h c:\Results.html
OR
rsop.msc