Instructors should do the following:
Explain that Group Policy settings will be applied to child ob-jects within the domain.
Point out that Blocking Group Policy Inheritance can be used to prevent policy settings from applying to child ob-jects.
Explain that Group Policy Filtering refines the GPO to in-clude or exin-clude certain users, groups, and computers.
Explain that the two options for preventing restrictive poli-cies from applying to administrators are:
Remove the ACE entry for the authenticated users group that grants, reads, and applies group policy permissions.
Set the apply group policy ACE to deny specific groups that you want to exclude from group policy.
Demonstrate how to configure security group filtering using the Group Policy Management MMC Snap-in.
Explain that Windows Management Instrumentation (WMI) is a component of the Microsoft Windows operating system that provides management information to the enterprise environment.
Demonstrate how to configure WMI filtering using the Group Policy Management MMC Snap-in.
Explain that Resultant Set of Policy (RSoP) is the sum of poli-cies applied to a user and computer after all files, security group permissions, and inheritance settings have finished processing.
Point out that the RSoP wizard assists administrators in de-termining the effects of policies on users and computers.
Explain that the planning modes of RSoP allow administra-tors to simulate the effect of policy settings prior to imple-mentation.
Explain that the logging mode of RSoP allows administrators to query existing policies in the hierarchy that are linked to sites, domains, domain controllers, and OUs.
Demonstrate the use of the Resultant Set of Policy wizard.
Explain that Group Policy Modeling is used to simulate the effect of policy on the user environment.
Demonstrate how to create a Group Policy modeling query using Administrative Tools.
Point out that Group Policy Results is equivalent to the Log-ging mode within the RSoP MMC Snap-in.
Demonstrate how to create a Group Policy Results query in Administrative Tools.
Explain that GPResult is a command-line tool that allows you to create and display an RSoP query from the command line.
Lesson Quiz
True/False1. As with Windows Server 2003, the Group Policy Manage-ment Console is an add-on snap-in that must be downloaded and installed from the Microsoft website.
2. WMI Filtering can be used to control the application of GPOs based on criteria such as disk space or processor capa-bilities.
3. The Resultant Set of Policies provides administrators with the tools to simulate the effect of GPO settings before actual-ly appactual-lying the settings in productions.
4. The Group Policy Modeling feature in the Group Policy Management Console produces results similar to running the RSoP Snap-in in planning mode
5. A WMI filter can be linked to only one GPO.
Multiple Choice
1. When viewing an individual GPO using the Group Policy Management Console, which tab would display the status, such as Enabled?
a) Details b) Scope c) Settings d) Delegation
2. Which two filtering options allow administrators to control the application of GPOs?
a) Organizational unit filtering b) Computer and user filtering c) Security group filtering d) WMI filtering
3. Which two tools can be used to display the net effect of all group policies assigned to a user or computer?
a) Resultant Set of Policy Wizard b) Net Effect Wizard
c) Group Policy Wizard d) GP Result
4. Which Resultant Set of Policies mode is useful for under-standing the effect of combined policies on users and com-puters?
a) Planning Mode b) Results Mode c) GPResults Mode d) Logging Mode
5. Which command line tool provides the ability to create a Re-sultant Set of Policy query?
a) GPResult.exe b) GPupdate.exe c) GPdisplay.exe d) RSoP.exe
Quiz Answers
True/False1. False. GPMC is natively installed in Windows Server 2008.
2. True.
3. True.
4. True.
5. False. WMI filters can be linked to multiple GPOs.
Multiple Choice 1. B
2. C, D 3. A, D 4. D 5. A
Class Projects
Lesson 10—Exercise 1Explain the functions that can be performed using the Group Policy Management Console.
Lesson 10—Project 1
As an Active Directory administrator, one of your jobs is to sim-plify the application of internal IT policies to user and comput-ers. Explain how this can be accomplished using the following:
Group Policy, inheritance of GPO settings, blocking of inher-itance of GPO
Microsoft Video Resources
Windows Server 2008 Read-Only Domain Controllers—
Password Replication Policies
Read-only domain controllers (RODCs) are a new feature in Windows Server 2008, allowing domain controllers to be de-ployed in locations where security might otherwise be a con-cern (e.g., branch offices). In this video Mark Wilson takes a look at the password replication policies that are used to con-trol credentials stored on RODCs.
Length: 4:58.
Securing Branch Office User Accounts
Show the class the information in this video and explain that the video demonstrates how you can place a domain controller in a branch office, and take measures to make branch office ac-counts more secure. The demo uses a combination of BitLock-er, RODC, fine-grained password policies using a tool from Spe-cial Operations Software, and admin role separation to achieve this goal.
Length: 12:08