Windows Server 2008 R2 Unleashed (129 page)

3. Expand the domain to expose the Group Policy Objects container and select it.

4. Right-click the Group Policy Objects container and select the Back Up All button.

5. Specify the folder location in which to store the backup, enter a description of the

backup, and click the Back Up button to back up the domain group policies.

6. In the Backup window, review the status of the backup and click OK when the back-

up completes.

Backing Up a Single Domain GPO

To back up a single domain GPO, perform the following steps:

1. Log on to a designated Windows Server 2008 R2 administrative system.

ptg

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Group Policy Objects container and expand it.

4. Select the desired GPO, right-click it, and click the Back Up button.

5. Specify the folder location in which to store the backup, enter a description of the

backup, and click the Back Up button to back up the domain group policy.

6. In the Backup window, review the status of the backup and click OK when the back-

up completes.

Restoring a Domain GPO

Restoring a domain GPO can be performed to revert a GPO to a previously backed-up state

or to recover from a domain GPO deletion.

To restore a deleted domain GPO, perform the following steps:

19

1. Log on to a designated Windows Server 2008 R2 administrative workstation.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Group Policy Objects container and select it.

4. Right-click the Group Policy Objects container, and select Manage Backups.

5. Browse to or specify the domain GPO backup location to load the GPO backup set.

6. Select the desired GPO object.

7. If a filtered view is desired, select the Show Only the Latest Version of Each GPO

check box.

8. To view the settings of a particular backed-up GPO, select the desired GPO, and click

the View Settings button. Close the browser window after the settings are reviewed.

634

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

9. After the desired GPO is determined, select the GPO and click the Restore button.

10. Click OK in the Restore confirmation dialog box to restore the GPO.

11. Review the GPO restore progress, and click OK when it is finished.

12. After all the necessary GPOs are restored, close the Manage Backups window.

NOTE

Restoring a domain GPO from a backup does not re-create or restore any links previous-

ly associated with that GPO. GPO links must be re-created and reconfigured manually.

To change an existing domain GPO to a previously backed-up version, perform the

following steps:

1. Log on to a designated Windows Server 2008 R2 administrative system.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Group Policy Objects container and select it.

4. Locate and right-click the desired domain GPO, and select Restore from Backup.

5. In the Restore Group Policy Object Wizard window, click Next on the Welcome page.

ptg

6. On the next page, browse to or specify the domain GPO backup location and click

Next.

7. To view the settings of a particular backed-up GPO, select the desired GPO, and click

the View Settings button. Close the browser window after the settings are reviewed.

8. After the desired GPO is determined, select the GPO, and click Next.

9. Review the settings summary on the Completing the Restore GPO Wizard page, and

click Finish to start the restore process.

10. Review the GPO restore progress, and click OK when it is finished.

Group Policy Modeling Operations

The GPMC has a function called Group Policy Modeling that allows administrators to run

tests to determine the projected outcome of GPO processing. Group Policy Modeling

allows administrators to test the outcome of applying new GPOs, changing the status of

GPOs, changing the location of a computer or user object, or changing the group

membership of a computer or users. Detailed Group Policy Modeling is covered in

Chapter 27.

Group Policy Results

Group Policy Results provides administrators with an additional tool to investigate the

history of GPO processing on a particular computer and user object. This function requires

access to the remote computer to evaluate and summarize the logged results of historical

GPO processing. Starting with Windows Vista and Windows Server 2008 R2, the opera-

tional event logs for Group Policy provide much of the same functionality. This tool is

GPO Administrative Tasks

635

useful as a troubleshooting tool to assist administrators who need to investigate GPO

processing on computers running previous version operating systems. Group Policy

Results is covered in Chapter 27.

GPO Administrative Delegation

GPO administrative delegation is a process that administrators can utilize to delegate

permissions to specific users or configure security rights across all GPOs, specific GPOs,

and GPO-related tasks on specific Active Directory containers, such as sites, domains, and

organizational units.

GPO delegation or delegation of administration within Active Directory should only be

used in organizations that have separate IT groups that manage the infrastructure and

servers and other groups that manage the desktop and support the end user. If the IT

group of an organization contains administrators who all perform GPO and Active

Directory administration, adding a delegation model might not be necessary and can add

unnecessary complexity.

All GPO administrative delegation tasks detailed in the following sections are performed

using the Group Policy Management Console.

Delegating GPO Creation Rights

ptg

The right to create GPOs can only be delegated at the domain’s Group Policy Objects

container and the Starter GPOs container. After a policy is created, though, the right to

completely edit, modify security, and even delete the GPO can be granted on a per GPO

basis. To grant the right to create GPOs in a domain, perform the following steps:

1. Log on to a designated administrative system running Windows Server 2008 R2.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Group Policy Objects Container and select it.

4. In the right pane, select the Delegation tab.

5. Click the Add button at the bottom of the pane.

6. Type in the name of the user account or security group, and click OK to apply the

changes.

Alternately, the specific user or security group could be added as a member of the Group

19

Policy Creator Owners security group.

Delegating GPO Management Rights on Existing GPOs

After a group policy is created, it will inherit a base set of administrative rights to

completely edit the settings and modify the security of the policy. By default, administra-

tive rights are granted to the Domain Admins, Enterprise Admins, and System objects. If

the policy was created by a separate group or user that had been granted GPO creation

rights, that object would also have these rights. If additional users or security groups need

to be granted the right to edit the settings, manage the security, or delete a specific policy,

perform the following steps:

636

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

1. Log on to a designated administrative system running Windows Server 2008 R2.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Group Policy Objects Container and select it.

4. Expand the Group Policy Objects container to expose the domain GPOs.

5. Select the desired GPO and select the Delegation tab in the right pane.

6. At the bottom of the pane, click the Add button.

7. Type in the name of the specific user account or security group, and click OK.

8. In the Add Group or User window, click the Permissions drop-down list arrow, and

select the appropriate permission of Read, Edit Settings, or Edit Settings, Delete,

Modify Security, and click OK to apply the changes.

Delegating GPO Administrative Tasks on Active Directory Containers

The GPMC allows administrators to delegate the rights to manage GPO links and perform

testing and troubleshooting tasks at the site, domain, and organizational unit container

levels. To delegate GPO administrative rights over an Active Directory container, perform

the following steps:

1. Log on to a designated administrative workstation running Windows Server 2008 R2.

ptg

2. Open the Group Policy Management Console.

3. Expand the Active Directory Forest container.

4. Select either the Domains or Sites node and expand it.

5. If the desired domain or site is not listed, right-click the node and select Show

Domains or Show Sites and add the object as required.

6. Expand the Domains or Sites node to expose the container that will have the GPO

delegation rights applied to it and select it.

7. In the right pane, select the Delegation tab.

8. On the Delegation tab, near the top of the pane, select the desired permission that

will be delegated from the following options:

. Link GPOs

. Perform Group Policy Modeling Analyses

. Read Group Policy Results Data

9. At the bottom of the pane, click the Add button.

10. Type in the name of the specific user account or security group and click OK.

11. In the Add Group or User window, click the Permissions drop-down list arrow, and

select the appropriate permission of This Container Only or This Container and All

Child Containers, and click OK.

Best Practices

637

NOTE

Even though the right to perform Group Policy Modeling and view results data can be

delegated at a container level, if the task is not performed on the domain controller,

the user or group will also need to be a member of the domain’s Distributed COM

Users security group.

Summary

This chapter detailed the Group Policy infrastructure of the Windows 7 and Windows

Server 2008 R2 operating systems. For an administrator to successfully design and support

a Group Policy infrastructure, a thorough understanding of the general GPO functions

and how to use the GPO management tools is a necessity.

This chapter introduced how policies work, the difference between local group policies

and domain policies, and the elements of a group policy. For administrators who are creat-

ing multiple policies for their environment, rather than creating individual policies for

each user, site, or domain, the concept of creating a starter GPO to use as a template or

ptg

baseline policy was discussed.

Windows Server 2008 R2 also introduced improvements in the Group Policy Management

Console tool that is used for the creation and management of policies throughout the

Windows Server 2008 R2 environment. The GPMC provides the ability to create policies,

edit policies, and generate reports to determine specifically what a policy is doing in the

environment.

After the administrator is familiar with the tools available for the creation and manage-

ment of group policies, this chapter provided guidance on the policy management tasks

and best practices an administrator could follow in leveraging the capabilities of policies

within the Windows Server 2008 R2 environment.

Best Practices

19

The following are best practices from this chapter:

. Use common sense naming conventions for GPOs.

. Don’t use the same name for two different GPOs.

. When you are working with Group Policy Objects, disable unused Computer and

User Configuration nodes of the policy when possible.

. When you delegate the creation of GPOs to nonadministrators, also consider dele-

gating the capability to manage the links for a specific OU and to allow these

administrators to run modeling and to read Group Policy results data.

638

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

. Use the Enforced and Block Inheritance settings in GPOs sparingly.

. Only configure the default account policies for the entire domain in the default

domain policy. Leave all other settings to separate policies.

. Use fully qualified (UNC) paths—for example, \\server.companyabc.com\share.

. Only create GPOs to deploy printers using the GPMC and GPME on Windows Vista,

Windows 7, and Windows Server 2008 R2 systems.

. Keep from applying group policies to sites and instead apply them to domains and

organizational units.

. Use starter GPOs to set baseline standards for administrators to create subsequent

policies in the environment.

. Try to separate GPO functions across multiple policies to provide more flexibility

with regard to targeting GPO application, delegation, and troubleshooting.

. When creating operating system–specific Group Policy settings, create separate poli-

cies and apply WMI filters for the desired operating systems.

. Use Group Policy security and WMI filters to gain more granular control of policies

and the application of policies on users and computers.

ptg