Tag Archives: 70-742

Create and Manage Group Policy Objects (GPOs) Part 1 of 2

Microsoft Windows Server, , ,

GPOs

GPOs Overview

Group Policy Objects (GPOs) are one of the most powerful components in a Windows Server 2016-based environment. Thanks to GPOs, you can easily manage:

  • Windows settings
  • Application settings
  • Software deployment
  • Folder redirection (user Home folders)
  • Security settings
  • Infrastructure settings such as wireless and networking

Local GPOs

While most environments leverage the power of Active Directory (AD) and assign GPOs through the AD infrastructure, you can use local GPOs to control computers and users that are not part of an AD. Keep in mind that if you apply local GPOs to a system that is part of an AD, the AD-based GPO settings will override the local settings.

There are multiple local GPOs you can use, including:

  • Local Group Policy – this is the “classic” local Group Policy Object that contains a user and computer node with setting for each
  • Administrators and Non-Administrators Local Group Policy – this GPO allows you to control local admins versus non admins; it only has a user node as you would expect
  • User Specific Local Group Policy – these GPOs allow you to configure user-specific settings

NOTE: If you apply all of these to a local system, the priority order is as listed. For example, a user-specific setting would override a local group policy setting.

To create these local GPOs, simply log in as a local administrator and use the mmc.exe syntax in the run menu. Add a Snap In for the Group Policy Object Editor and then Browse for the local computer or users options to create the above local GPO editors.

Linking AD GPOs

When we use GPOs in the Active Directory environment, we link them to specific AD objects in order to set their scope. These objects include:

  • Sites
  • Domains
  • Organizational Units (OUs)

You can link GPOs to these AD objects using GUI tools as well as PowerShell.

Manage Starter GPOs

It is possible to create a template that contains the most common settings for your enterprise and then use this GPO as a template for customize it for certain areas. This is called a Starter GPO. There is a Starter Node in the Group Policy Management console you can use for this purpose.

Taking Your Active Directory (AD) Offline

Microsoft Windows Server, , ,

70-742

This content is a slice of my Hands On Lab 70-742 course at CBT Nuggets.

Offline AD Overview

We know that most of our work with Active Directory takes place while it is online. Certain maintenance items, however, require the service to be offline. This is one of the reasons we love to have multiple Domain Controllers in the network. We can bring a system offline, while other online DCs can service client login requests and other necessities of the directory service.

AD DSRM and Restartable AD DS

For a long time, the only way you could take AD offline was to use the Directory Service Restore Mode (DSRM). Now, since Windows Server 2012 and later, you have what is termed restartable Active Directory Directory Services. This is a beautiful act of simplicity. You stop the AD DS service (which stops other services that rely upon it) and you are good to go. This is much better than restarting the entire Domain Controller for the DSRM mode.

Restartable AD DS

In order to perform this, follow these steps:

Step 1: Launch the Service applet.

Step 2: Find Active Directory Domain Services and right-click this service and choose Stop.

Step 3: Agree to stop reliant services. This should include (at least) DNS Server, Kerberos Key Distribution Center, Intersite Messaging, and DFS Replication.

Step 4: Congrats! Your AD is now offline.

One example of a maintenance task you could now safely perform would be a defragmentation of the AD database!

Pearson Education (InformIT)