MCITP 70-640: Group Policy Introduction
Welcome back to IT Free Training’s course
on Active Directory. This is the first of several videos on Group Policy. The videos
can be watched with the free Active Directory course or by themselves, the choice is up
to you. After watching this video you will have a
better understanding on why there is a need for Group Policy and also the basic mechanics
of how Group Policy works. To start with, what is Group Policy?
Group Policy is a Microsoft technology that allows centralized control of user and computer
settings. It also provides control over applications including the installation and removal of
these applications when they are no longer required. Using Group Policy you can control
the user experience from a centralized location by customizing the look and feel of the desktop
and configuring other settings on the computer. There are literally thousands of Group Policy
Settings that can be configured allowing you to control almost every aspect of the user
experience. To understand why Group Policy is required,
consider what it was like before Group Policy. In a lot of cases, program and system settings
were stored in a text file like an Ini file. Editing this file was a little tricky, as
to change one setting would mean rewriting the whole file, making the process very complicated.
In those days changes were often made by a script that was run when the user logged into
and thus referred to as a login script. To make the process easier, Microsoft introduced
the registry. The registry provided a centralized store containing settings for the operating
system and applications on the system. It was an expandable system that allowed for
a single value to be changed at any time. The registry made configuring options a lot
easier than ever before, but one problem still remained. When a change is made to the registry
the change was permanent. This is sometimes referred to as tattooing the registry. Without
the ability to rollback a change, if the user were to change job tomorrow this may
require a different login script to be used. The new login script would not only have to
make sure all settings required were made, but there needed to be an assurance that any
settings made from anther login script were also reversed or written over as required.
With Group Policy, settings can be applied directly to that user and rolled back later.
If for example a user’s job title was to change, the Group Policy or policies assigned
to that user could also change. Once this occurs, Group Policy is able to reverse any
previously configuration made for that user. This means that the administrator only needs
to worry about configuring the required settings, they do not need to worry about removing settings
that were applied using previous Group Policy. Now that you understand the need for Group
Policy, let’s have a look at how the mechanics of Group Policy work. Understanding how Group
Policy works will help you deploy and troubleshoot Group Policy better in your organization.
Despite the fact that Group Policy can be used for centralized control of computers
in your organization, it may surprise you to hear that it is in fact client driven.
Group policy works like this. The Group Policy settings are first created and configured
and then stored in Active Directory. Once the Group Policy is created it can be downloaded
by the client operating system. This is why I say Group Policy is client driven as it
is up to the client to download the Group Policy from a Domain Controller. This is why
non Microsoft client can be added to the Domain that do not support Group Policy, they simply
choose not to download Group Policy. A system like is called a pull system since the client
requests the information rather than the server pushing the data out to the clients.
Once the client receives the Group Policy from the Domain Controller it is up to the
client to apply it to the operating system. This is done by software on the client called
Client Side Extensions. For example, there are Client Side Extensions that are responsible
for creating shortcuts and other extensions for installing applications. To see which
client extensions are installed, I will open regedit from the start menu and then navigate
down through to the registry to the following location.
You are not required to know this for the exam, but understanding how it works will
improve your overall understanding of Group Policy. As shown here, all Group Policy Client
Extensions have their own folder. If I select one of the folders, you can see the name of
Group Policy Client Extensions inside the folder. In this case, this extension will
deploy printer connections to the client. If you want to ensure a user has certain printers
on their computer, create a group policy with those printers in it. When the Group Policy
is deployed, this Group Policy Client Extension will ensure these printers are created on
the local computer and are available to the user.
If I select anther extension you can see this extension is responsible for configuration
of network options on the computer. In later videos you will see that certain Group Policy
settings are supported by different operating systems. This is the reason why, certain Group
Policy Extensions are available on different versions of Windows and are able to process
certain settings. It is also possible to add additional Client Side Extension if they are
available. Group Policy looks complex at first, but once
you understand how it is broken down into sections which allow each part to be processed
by different systems, it makes a lot more sense.
To show you the different sections of Group Policy, I will now take a look at an example
of a Group Policy. You can see that this Group Policy is divided into two parts, which are
sometimes referred to as nodes. At the top is Computer Configuration. Any settings that
are configured in this section are applied to the computer as a whole, affecting all
users that use that computer. The user configuration settings shown at the
bottom contain the same structure as Computer Configurations.
If I go to Computer Configuration, the first folder down is Polices. This is where
the traditional Group Policy settings live. I say traditional because before Windows Server
2008 the polices folder did not exist. All the settings found under polices were essentially
all the settings you would find in Group Policy. Under this is the Preferences folder. Preferences
were a late addition to Windows Server 2008 and added just before it was released to manufacture.
Preferences was originally a 3rd party product called PolicyMaker that was purchased by Microsoft.
There is a big fundamental difference between Polices and Preference. Any settings applied
under Polices the user is forced to have, they do not have a choice. Any settings applied
under preferences the user has a choice if they want the setting or not.
Under Polices the first folder is software Settings. If you decide to use Group Policy
to deploy and manage software this is where the Group Policy software settings would be
configured. The next folder down is Windows Setting. Any
settings under Windows Settings generally have an effect on the computer as a whole,
so you will not find setting in here for specific things like which shortcuts appear in the
start menu. For example you can see that startup and shutdown scripts can be configured in
here. If I were to look at Windows Settings under User Configuration these would be login
and logoff scripts. The settings under Security settings affect
the security related items on the computer. For example, the settings in here affect how
certificates on the computer are used and what rights users will have.
The next section is Administrative Templates. This contains the bulk of the Group Policy
settings. You can see there are quite alot of sections under here for example for the
control panel and network. Administrative Templates is a strange name, but later in
the course I will show you how to add additional templates and store the templates in a central
store. This has been a short tour of Group Policy.
To summarize what has been looked at, Group Policy is configured in Active Directory making
it centrally administered. Even though it can be used to configure all the computers
in your domain, it is essentially a client driven technology. Once the client downloads
the group polices these are applied to the operating system using Client Side Extensions.
Depending which operating system you have will determine which Client Side Extensions
are available on that system. In some cases additional Client Side Extensions can be added
to the operating system. In most cases you will be limited to the ones that come with
that operating system. Lastly group Policy is divided into sections,
the most noticeable of these is the user and computer sections. At first it may look like
a lot of settings, but once you starting using Group Policy you will start to see that the
settings are quiet well organized. This video is only the first video for the
Group Policy videos which are part of the Active Directory course. I hope you have enjoyed
this video and continue to watch the rest of the videos as they are released. See you