Windows Server 2008 R2 Unleashed (129 page)
Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
3. Expand the domain to expose the Group Policy Objects container and select it.
4. Right-click the Group Policy Objects container and select the Back Up All button.
5. Specify the folder location in which to store the backup, enter a description of the
backup, and click the Back Up button to back up the domain group policies.
6. In the Backup window, review the status of the backup and click OK when the back-
up completes.
Backing Up a Single Domain GPO
To back up a single domain GPO, perform the following steps:
1. Log on to a designated Windows Server 2008 R2 administrative system.
ptg
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Group Policy Objects container and expand it.
4. Select the desired GPO, right-click it, and click the Back Up button.
5. Specify the folder location in which to store the backup, enter a description of the
backup, and click the Back Up button to back up the domain group policy.
6. In the Backup window, review the status of the backup and click OK when the back-
up completes.
Restoring a Domain GPO
Restoring a domain GPO can be performed to revert a GPO to a previously backed-up state
or to recover from a domain GPO deletion.
To restore a deleted domain GPO, perform the following steps:
19
1. Log on to a designated Windows Server 2008 R2 administrative workstation.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Group Policy Objects container and select it.
4. Right-click the Group Policy Objects container, and select Manage Backups.
5. Browse to or specify the domain GPO backup location to load the GPO backup set.
6. Select the desired GPO object.
7. If a filtered view is desired, select the Show Only the Latest Version of Each GPO
check box.
8. To view the settings of a particular backed-up GPO, select the desired GPO, and click
the View Settings button. Close the browser window after the settings are reviewed.
634
CHAPTER 19
Windows Server 2008 R2 Group Policies and Policy Management
9. After the desired GPO is determined, select the GPO and click the Restore button.
10. Click OK in the Restore confirmation dialog box to restore the GPO.
11. Review the GPO restore progress, and click OK when it is finished.
12. After all the necessary GPOs are restored, close the Manage Backups window.
NOTE
Restoring a domain GPO from a backup does not re-create or restore any links previous-
ly associated with that GPO. GPO links must be re-created and reconfigured manually.
To change an existing domain GPO to a previously backed-up version, perform the
following steps:
1. Log on to a designated Windows Server 2008 R2 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Group Policy Objects container and select it.
4. Locate and right-click the desired domain GPO, and select Restore from Backup.
5. In the Restore Group Policy Object Wizard window, click Next on the Welcome page.
ptg
6. On the next page, browse to or specify the domain GPO backup location and click
Next.
7. To view the settings of a particular backed-up GPO, select the desired GPO, and click
the View Settings button. Close the browser window after the settings are reviewed.
8. After the desired GPO is determined, select the GPO, and click Next.
9. Review the settings summary on the Completing the Restore GPO Wizard page, and
click Finish to start the restore process.
10. Review the GPO restore progress, and click OK when it is finished.
Group Policy Modeling Operations
The GPMC has a function called Group Policy Modeling that allows administrators to run
tests to determine the projected outcome of GPO processing. Group Policy Modeling
allows administrators to test the outcome of applying new GPOs, changing the status of
GPOs, changing the location of a computer or user object, or changing the group
membership of a computer or users. Detailed Group Policy Modeling is covered in
Chapter 27.
Group Policy Results
Group Policy Results provides administrators with an additional tool to investigate the
history of GPO processing on a particular computer and user object. This function requires
access to the remote computer to evaluate and summarize the logged results of historical
GPO processing. Starting with Windows Vista and Windows Server 2008 R2, the opera-
tional event logs for Group Policy provide much of the same functionality. This tool is
GPO Administrative Tasks
635
useful as a troubleshooting tool to assist administrators who need to investigate GPO
processing on computers running previous version operating systems. Group Policy
Results is covered in Chapter 27.
GPO Administrative Delegation
GPO administrative delegation is a process that administrators can utilize to delegate
permissions to specific users or configure security rights across all GPOs, specific GPOs,
and GPO-related tasks on specific Active Directory containers, such as sites, domains, and
organizational units.
GPO delegation or delegation of administration within Active Directory should only be
used in organizations that have separate IT groups that manage the infrastructure and
servers and other groups that manage the desktop and support the end user. If the IT
group of an organization contains administrators who all perform GPO and Active
Directory administration, adding a delegation model might not be necessary and can add
unnecessary complexity.
All GPO administrative delegation tasks detailed in the following sections are performed
using the Group Policy Management Console.
Delegating GPO Creation Rights
ptg
The right to create GPOs can only be delegated at the domain’s Group Policy Objects
container and the Starter GPOs container. After a policy is created, though, the right to
completely edit, modify security, and even delete the GPO can be granted on a per GPO
basis. To grant the right to create GPOs in a domain, perform the following steps:
1. Log on to a designated administrative system running Windows Server 2008 R2.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Group Policy Objects Container and select it.
4. In the right pane, select the Delegation tab.
5. Click the Add button at the bottom of the pane.
6. Type in the name of the user account or security group, and click OK to apply the
changes.
Alternately, the specific user or security group could be added as a member of the Group
19
Policy Creator Owners security group.
Delegating GPO Management Rights on Existing GPOs
After a group policy is created, it will inherit a base set of administrative rights to
completely edit the settings and modify the security of the policy. By default, administra-
tive rights are granted to the Domain Admins, Enterprise Admins, and System objects. If
the policy was created by a separate group or user that had been granted GPO creation
rights, that object would also have these rights. If additional users or security groups need
to be granted the right to edit the settings, manage the security, or delete a specific policy,
perform the following steps:
636
CHAPTER 19
Windows Server 2008 R2 Group Policies and Policy Management
1. Log on to a designated administrative system running Windows Server 2008 R2.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Group Policy Objects Container and select it.
4. Expand the Group Policy Objects container to expose the domain GPOs.
5. Select the desired GPO and select the Delegation tab in the right pane.
6. At the bottom of the pane, click the Add button.
7. Type in the name of the specific user account or security group, and click OK.
8. In the Add Group or User window, click the Permissions drop-down list arrow, and
select the appropriate permission of Read, Edit Settings, or Edit Settings, Delete,
Modify Security, and click OK to apply the changes.
Delegating GPO Administrative Tasks on Active Directory Containers
The GPMC allows administrators to delegate the rights to manage GPO links and perform
testing and troubleshooting tasks at the site, domain, and organizational unit container
levels. To delegate GPO administrative rights over an Active Directory container, perform
the following steps:
1. Log on to a designated administrative workstation running Windows Server 2008 R2.
ptg
2. Open the Group Policy Management Console.
3. Expand the Active Directory Forest container.
4. Select either the Domains or Sites node and expand it.
5. If the desired domain or site is not listed, right-click the node and select Show
Domains or Show Sites and add the object as required.
6. Expand the Domains or Sites node to expose the container that will have the GPO
delegation rights applied to it and select it.
7. In the right pane, select the Delegation tab.
8. On the Delegation tab, near the top of the pane, select the desired permission that
will be delegated from the following options:
. Link GPOs
. Perform Group Policy Modeling Analyses
. Read Group Policy Results Data
9. At the bottom of the pane, click the Add button.
10. Type in the name of the specific user account or security group and click OK.
11. In the Add Group or User window, click the Permissions drop-down list arrow, and
select the appropriate permission of This Container Only or This Container and All
Child Containers, and click OK.
Best Practices
637
NOTE
Even though the right to perform Group Policy Modeling and view results data can be
delegated at a container level, if the task is not performed on the domain controller,
the user or group will also need to be a member of the domain’s Distributed COM
Users security group.
This chapter detailed the Group Policy infrastructure of the Windows 7 and Windows
Server 2008 R2 operating systems. For an administrator to successfully design and support
a Group Policy infrastructure, a thorough understanding of the general GPO functions
and how to use the GPO management tools is a necessity.
This chapter introduced how policies work, the difference between local group policies
and domain policies, and the elements of a group policy. For administrators who are creat-
ing multiple policies for their environment, rather than creating individual policies for
each user, site, or domain, the concept of creating a starter GPO to use as a template or
ptg
baseline policy was discussed.
Windows Server 2008 R2 also introduced improvements in the Group Policy Management
Console tool that is used for the creation and management of policies throughout the
Windows Server 2008 R2 environment. The GPMC provides the ability to create policies,
edit policies, and generate reports to determine specifically what a policy is doing in the
environment.
After the administrator is familiar with the tools available for the creation and manage-
ment of group policies, this chapter provided guidance on the policy management tasks
and best practices an administrator could follow in leveraging the capabilities of policies
within the Windows Server 2008 R2 environment.
19
The following are best practices from this chapter:
. Use common sense naming conventions for GPOs.
. Don’t use the same name for two different GPOs.
. When you are working with Group Policy Objects, disable unused Computer and
User Configuration nodes of the policy when possible.
. When you delegate the creation of GPOs to nonadministrators, also consider dele-
gating the capability to manage the links for a specific OU and to allow these
administrators to run modeling and to read Group Policy results data.
638
CHAPTER 19
Windows Server 2008 R2 Group Policies and Policy Management
. Use the Enforced and Block Inheritance settings in GPOs sparingly.
. Only configure the default account policies for the entire domain in the default
domain policy. Leave all other settings to separate policies.
. Use fully qualified (UNC) paths—for example, \\server.companyabc.com\share.
. Only create GPOs to deploy printers using the GPMC and GPME on Windows Vista,
Windows 7, and Windows Server 2008 R2 systems.
. Keep from applying group policies to sites and instead apply them to domains and
organizational units.
. Use starter GPOs to set baseline standards for administrators to create subsequent
policies in the environment.
. Try to separate GPO functions across multiple policies to provide more flexibility
with regard to targeting GPO application, delegation, and troubleshooting.
. When creating operating system–specific Group Policy settings, create separate poli-
cies and apply WMI filters for the desired operating systems.
. Use Group Policy security and WMI filters to gain more granular control of policies
and the application of policies on users and computers.
ptg
