GPO Application


Tutorial: Preventing Software Installation Over Slow Links

There may be times when the road warriors of our company use their laptops on out of town conferences. They may still want to log into our domain, however. For many employees , this means dialing up over the internet through a phone line in a hotel room. Although adequate for low-speed internet surfing, a 56k modem is hardly the network pipeline in which to process group policy objects such as 50mb software installations! For these special cases, we may wish to turn certain GPOs off when a client is connected to one of these slow links. Thankfully, Windows Server 2003 allows us to do this by setting a GPO to control the way that other GPOs are processed .

  1. Open Active Directory Users and Computers , right-click the guinea.pig item in the left pane and choose Properties , choose the Group Policy tab, and double-click the Default Domain Policy item. The Group Policy Object Editor appears.

  2. Navigate to the Group Policy GPO rules folder located under Computer Configuration ˆ’ > Administrative Templates ˆ’ > System ˆ’ > Group Policy , all located in the left column.

  3. The Group Policy rules appear in the right column. Double-click the item marked Group Policy Slow Link Detection .

  4. Click the Enabled option. Notice the field labeled Connection Speed (Kbps) . This field allows you to define what network speed you consider to be "slow." When Windows Server 2003 detects a client trying to connect at a speed slower than the value entered in this box, it treats that client as having a slow connection. The default value is 500 Kbps (Kilobits/second).

    To give you some reference:

    • 56Kbps = 56K dial-up modem connection

    • 64-128Kbps = ISDN connection

    • 384-1000Kbps = DSL and/or cable modem

    • 1.5Mbps = T1 connection

    • 100Mbps = Fast Ethernet

    • 1000Mbps (1Gbps) = Gigabit Ethernet

    So the default falls somewhere in the range of many cable or DSL connections. You may enter any value ranging from 0 (no slow link detection) to 4,294,967,200Kbps (a rather high number for a slow link). For this exercise, leave the default set at 500Kbps . Click OK when finished.

  5. Now that you have enabled the slow link detection rule, we can tell Windows Server 2003 what actions to take when it encounters a slow link. On the right hand pane is a list of several rules. The rules that pertain to slow link behavior are:

    • Internet Explorer Maintenance policy processing

    • Software Installation policy processing

    • Folder Redirection policy processing

    • Scripts policy processing

    • IP Security policy processing

    • Wireless policy processing

    • EFS (encryption) recovery policy processing

    • Disk Quota policy processing

    For this example, double-click the rule dealing with software installation.

  6. On the Properties window that appears, select the Enabled option. Make sure that the box labeled Allow processing across a slow network connection is not checked. This ensures that any GPOs affecting software installation will not work when a client is connected to the domain over the slow link we defined in step 4. Click OK and close the Group Policy Object Editor .

The Problems and Solutions to Using Multiple GPOs

Group Policy Objects are very powerful ways to control and manage multiple clients in your network. But as many administrators have found out in Windows 2000 Server (Microsoft's first foray into a directory-based network environment), multiple GPOs can start to conflict with one another. Finding the problem rule in the problem GPO can turn into the proverbial "needle in a haystack" hunt. Before going any farther, we must understand how conflicting rules are handled.

Recall that earlier in this chapter, we discussed briefly how GPOs are applied through the domain. When applied to a parent object, such as an organizational unit, the GPO travels down and applies itself to all child objects belonging to the parent object. This may include users, groups, computers, or whatever else resides inside the parent object. That's fine and dandy, but now let's say that you want to apply another GPO to a child object within the parent object. And to make things even more interesting, let's say that the parent object and child object GPOs contain conflicting rules. Which rule gets precedence?

Microsoft designed group policy inheritance so that settings closest to the bottom of the domain tree override conflicting settings in GPOs applied farther up the tree. GPOs can be applied to the following Active Directory Object types, and are processed in the order listed:

  • Site level (specific TCP/IP subnets that can be used to divide up Active Directory) - highest level

  • Domain level

  • OU level

We have already discussed domains and OUs up to this point. We discuss Active Directory sites in the next chapter. For now, you need to know that GPOs can be applied to entire sites.

But what happens if you do not want a certain GPO to be overridden “ever? GPOs do have a special mode called No Override that prevents them from being overridden by other GPOs farther down the tree.

click to expand
Figure 4-9: GPO Conflict Resolution with No Override Setting

A : GPO 1 is applied to the domain with Rules A and B set to True and False. GPO 1's settings are configured for no override .
B : The East Wing OU, a child of the Guinea.Pig domain object, inherits GPO 1's settings.
C : GPO 2 is applied to the North Wing OU with a conflicting rule B, set to True. Since GPO 1 is set to no override, GPO 2's conflicting rule B does take affect. The North Wing OU's children inherit GPO 1's settings as well.

In yet another scenario, what happens if you wish to block all inheritance from higher-level GPOs? Windows Server 2003 adds yet another mode that addresses this very situation.

click to expand
Figure 4-10: GPO Conflict Resolution with Inheritance Blocking

A : GPO 1 is applied to the domain.
B : The East Wing OU, a child of the domain object, inherits GPO 1's settings.
C : GPO 2 is applied to the North Wing OU. GPO 2's settings are configured to block policy inheritance. Because of this, GPO 1's settings do not apply to the North Wing OU or its children.
Get Info

We know you're asking yourself that burning question of what happens when you have both No Override and Block Inheritance turned on. Which one gets precedence? The answer is the No Override setting; No Override overrides Inheritance Blocking.

Obviously, the above examples are very simplistic in nature. What happens when you have 10 or more conflicting GPO rules? What happens if you apply a GPO to a single group or user ? What happens if you change the permissions of a specific GPO? The hard way would be to log in with a client computer and test each and every conflicting GPO rule. This was the initial way that Windows 2000 Server administrators had to test potentially conflicting GPOs. Later, Microsoft added a command line utility called gpresult.exe in its Windows 2000 Resource Kit. It helped resolve some of the confusion caused by so many variables in GPO processing. But, it was text based. For some, that's OK. For others, a more graphical view of the situation can be more informative. The graphical view won out. Microsoft added a GPO "simulation" mode to Windows Server 2003 that allows us to test a GPO or GPOs. This new feature is called Resultant Set of Policy ( RSoP )




Active Directory By The Numbers. Windows Server 2003
Active Directory By the Numbers: Windows Server 2003
ISBN: 0974759309
EAN: 2147483647
Year: 2003
Pages: 88
Authors: Marc Hoffman

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net