first) Introduce
Join the channel Telegram of the AnonyViet 👉 Link 👈 |
To save time, focus on system administration and optimization. You need a strict set of policies to manage users (end-users), prevent and limit users from taking actions that exceed and affect the system, and also save you time. for end-users troubleshooting. Group Policy Object (GPO) was born to help you do this.
2) Structure of GPO
The structure of GPO consists of 2 parts, they are separated and located in 2 different locations:
- Group Policy Template : contains the properties in the policy. There are two main properties: the user property (User configuration) and the computer property (Computer Configuration).
- Group Policy Containers : is considered a policy, you can create one or more policies, and to be able to configure and apply these policies correctly on users. GPC will use the Active Directory structure (Forest, Domain, OU) to base it on.
These policies are saved at the link%systemroot%\SYSVOL\sysvol\domain_name\Policies\GUID
Each policy has properties like (Domain, Owner, Date and Time, User/Computer version, GUID number, GPO Status). Each policy has a unique GUID number.
The GPO Status section has 4 options:
- Enabled : enable all properties of User/Computer in the policy
- All settings disabled : disables all User/Computer properties
- Computer configuration settings disabled : executes only the User Configuration property, disables the properties belonging to the Computer Configuration side.
- User configuration settings disabled : executes only the Computer Configuration property, disables the properties belonging to the User Configuration side.
3) Working principle of GPO
Policies can be imposed on OU, Site, Domain. By default, GPO will process policies according to the following priority: OU, Site, Domain. For example, you apply the Folder Redirection policy to all users on the Site allowing the My Document folder to be redirected to the File Server in the main office, and you also apply the Folder Redirection policy to all users in the OU, for allows the My Document folder to be redirected to the File Server in the branch. At this time, the GPO will prioritize the OU policy, the users will redirect the Document folder to the branch File Server.
However, there are several ways to control the processing of GPOs with features:
- Block Inheritance : usually configured in the OU, allowing to ignore all the policies of the superior such as Site, Domain. Only policies in that OU apply.
- Enforced : usually configured at Domain, Site. Force all of the above policies down to the OU. Remove all policies under the OU, even if you have Block Inheritance configured for the OU.
- Security Filtering : If you apply a policy that prohibits IE access to the Accounting OU including the head of the department, employee 1, employee 2. Now what if only the head of the department wants to use IE, what to do? Simply go to that policy and go to Scope -> Security Filtering. Delete the Authenticated User group and re-add employee 1, employee 2. You have now removed the department head from that policy.
The GPO update process is handled when the Computer is started and the User logs on. Then every cycle in the range of 90 – 120 minutes, it will update once.
4) Backup and Restore policies
GPO allows you to backup your policies and restore when something goes wrong.
5) New GPO Features in Windows Server 2012 R2
- Group Policy Caching (new) : When the computer has updated the latest policy policies on its machine, it will save it to a folder on that machine (local). This policy will be synchronized again the next time the computer starts/reboots, it will compare and update the new policies that it does not have. Instead of in the old version of Windows Server, you have to re-download the entire latest policy. This greatly reduces logon time, policy processing time and saves bandwidth. Suitable for computers using Direct Access feature. We go to the following path to Enable Group Policy Caching feature(Computer Configuration \Policies\Administrative Templates\System\Group Policy\Configuring Group Policy Caching)
- Remote Group Policy Update (New) : Allows standing on Group Policy Management to execute the gpupdate /force command remotely, applicable to any computer in the domain. Do it by right-clicking on the OU -> Group Policy Update -> OK
- Group Policy Infrastructure Status Details (New) : Integrated GPM interface monitors the replication of GPO policies between DC/ADCs in the domain. Gives you an overview of the replication of policies and controls and updates them easily. (First click Detect Now to scan, then the system will display replicate information. Question mark indicates DC/ADC machines that they can’t contact or replicate | Blue check mark indicates DC/ADC machines. ADC has replicated fully)
- Fast Startup (New) : To help reduce GPO processing time during shutdown or start of a computer, Group Policy will automatically understand that the computer is in hibernate state instead of shutdown. This feature only allows users to quickly log-in to the system by skipping policy updates. Note: for Windows 8.1 and Windows 8. When you shutdown, the system does not shutdown completely, the system only enters Hibernate mode and when you start again, these policies are still the old policies. The fact that you perform Restart the new machine is literally Shutdown, and now after restarting, the computer will update the policy again. Can be disabled at the following path “Computer Configuration /Policies/Administrative Templates/System/Shutdown/Require use of fast startup“
- Sign-in Optimizations (Updated) : GPO will determine if the user’s connection bandwidth when logging in. From there, determine if the connection is fast or slow, if the connection is slow, switch to the policy asynchronous mechanism and allow users to log in faster. This feature applies to machines using remote connections such as DirectAccess, 3G connection. We go to the following link to Enable the Slow link feature(Computer Configuration \Policies\Administrative Templates\System\Group Policy\Configuring Group Policy Slow Link Detection). Declare the bandwidth, if below this bandwidth is considered slow link, or stick in the box “Always Treat WWAN….” so that if detected is a connection from the WAN, it is determined to be slow link).
- Group Policy Client Service idle state (Updated) : By default, GPO is updated once every 90 minutes, if it is detected that the user has not used the computer for 10 minutes (idle time), this service will be turned off. Default is Enabled, you can also Disable the policy here (Computer Configuration \Policies\Administrative Templates\System\Group Policy\Turn off Group Policy Client Service AOAC Optimization)
- Group Policy Result report improvements (Updated) : The report table contains more information such as slow link connection, information about block inheritance, client processing..