Baseline Administration for Group Policy Deployment

 <  Day Day Up  >  

Baseline Administration for Group Policy Deployment

Now that you have a base understanding of functionality and terminology of Group Policy, you can look at usage and how the configuration of group policies can vary greatly with each individual implementation.

Administrators can use this information to understand the more common methods of applying permissions to Group Policy for management purposes and the tools for testing Group Policy implementations prior to deployment in the production environment.

NOTE

In this section, some best practices for managing Group Policy are covered. For more information and details regarding Group Policy management, view the help information for managing Group Policy with Windows Server 2000 and Windows Server 2003.


Delegating GP Management Rights

It is important to delegate the proper rights for administrators to manage and manipulate Group Policy. For example, in larger organizations a very small group of users normally has permission to edit policies at the domain level. However, when specific requirements are needed to administer applications such as the Exchange client, permissions can be granted to specific areas with the Group Policy Management Console.

When creating specific permissions with the GPMC, administrators can delegate control for other administrators to manage the following areas within Group Policy:

  • Create GPOs

  • Create WMI filters

  • Permissions on WMI filters

  • Permissions to read and edit an individual GPO

  • Permissions on individual locations to which the GPO is linked, called the scope of management (SOM)

To easily assign permissions to GPOs, administrators can use the Delegation Wizard.

Working with Resultant Set of Policies (RSoP)

The new GPMC provides administrators with a powerful tool for planning and testing Group Policy implementations prior to enforcing them on domain workstations and users. Using the RSoP tool in planning mode, administrators can simulate the deployment of a specified group policy, evaluate the results of the test, make changes as needed, and then test the deployment again. After RSoP shows that the GPO is correct, the administrator can then back up the GPO configuration and import it into production.

To run RSoP in simulation mode, right-click on Group Policy Modeling in the forest that will be simulated, and choose Group Policy Modeling Wizard. The wizard enables you to input slow links, loop-back configuration, WMI filters, and other configuration choices. Each model is presented in its own report as a subnode under the Group Policy Modeling node.

TIP

Because errors in Group Policy settings can impact users and client server connectivity, any Group Policy implementation should be tested using the RSoP tool in planning mode before applying the policy.


Managing Group Policy Inheritance

In order to maximize the inheritance feature of Group Policy, keep the following in mind:

  • Isolate the servers in their own OU : Create descriptive Server OUs and place all the non “domain controller servers in those OUs under a common Server OU. If software pushes are applied through Group Policy on the domain level or on a level above the Server OU and do not have the Enforcement option checked, the Server OU can be configured with Block Policy Inheritance checked. As a result, the servers won't receive software pushes applied at levels above their OU.

  • Use Block Policy Inheritance and Enforcement sparingly to make troubleshooting Group Policy less complex.

Group Policy Backup, Restore, Copy, and Import

One new major improvement to Group Policy management offers the ability to back-up (or export) the Group Policy data to a file. Using the backup functionality of the GPMC, any policy can be tested in a lab environment and then exported to a file for deployment in the production domain.

When backing up Group Policy, you back up only data specific to that GP itself. Other Active Directory objects that can be linked to GPOs, such as individual WMI filters and TCP/IP security policies, are not backed up, because of complications with restores when working with these specific areas. When backup is completed, administrators can restore the Group Policy data in the same location, restoring proper functionality to misconfigured and accidentally deleted group policies.

The import functionality of the GPMC also enables administrators to take an exported Group Policy file and import the Group Policy data into a different location from its original one. This functionality is true even in scenarios where no trust exists between domains.

Imports of Group Policy files can be completed using files from different domains, across forest domains, or within the same domain. This functionality is most powerful when you move a GPO from a test lab into production without having to manually re-create the policy setting tested in the lab environment.

Another helpful function of Group Policy Management is copying GPOs. If the administrator has configured a complex group policy and applied the setting to a specific organizational unit (OU) in the domain, the group policy can be copied and duplicated for application to another OU. When using the copy function, a new group policy is created. This new policy can then be placed and applied to the new location.

 <  Day Day Up  >  


Microsoft Exchange Server 2003 Unleashed
Microsoft Exchange Server 2003 Unleashed (2nd Edition)
ISBN: 0672328070
EAN: 2147483647
Year: 2003
Pages: 393
Authors: Rand Morimoto

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net