Managing Group Policy Application and Infrastructure in Windows Server 2012 R2 | Microsoft Press Store

Lesson 1: Maintaining Group Policy Object

As an experience systems administrator pursuing authentication, you have a fair theme of how to use Group Policy. The administration of Group Policy doesn ’ thymine barely occur at the charge of configuring individual policies. In large organizations with many policies, it ’ mho necessary to have a alimony scheme. Ensuring that important Group Policy Objects ( GPOs ) are backed up and recoverable is american samoa significant as backing up and recovering other critical services such as DNS and Dynamic Host Configuration Protocol ( DHCP ). In this lesson, you ’ ll learn how to back up, regenerate, import, and transcript GPOs. You ’ ll besides learn how to delegate the management of GPOs .
After this lesson, you will be able to:

  • Back up, import, copy, and restore GPOs.
  • Migrate GPOs between domains and forests.
  • Delegate GPO management.

Estimated lesson time: 45 minutes

Managing Group Policy Objects

As an experience systems administrator, you are mindful that GPOs enable you to configure settings for multiple users and computers. After you get beyond editing GPOs to configure settings, you need to start thinking about issues such as GPO maintenance. For case, if an important document is lost, you need to know how to recover it from backup. Do you know what to do if person unintentionally deletes a GPO that has hundreds of settings configured over a long period of prison term ?
The independent creature you ’ ll use for managing GPOs is the Group Policy Management Console ( GPMC ), shown in Figure 5-1. You can use this console table to back up, repair, consequence, copy, and migrate. You can besides use this console to delegate GPO management tasks .
There are besides a substantial total of cmdlets available in the Windows PowerShell Group Policy faculty, including the trace :

  • Get-GPO Enables you to view GPOs. The output of this cmdlet is shown in Figure 5-2 .
    FIGURE 5-2
    FIGURE 5-2 Output of the Get-GPO cmdlet
  • Backup-GPO Enables you to back up GPOs.
  • Import-GPO Enables you to import a backed-up GPO into a specified GPO.
  • New-GPO Enables you to create a new GPO.
  • Copy-GPO Enables you to copy a GPO.
  • Rename-GPO Enables you to change a GPO’s name.
  • Restore-GPO Enables you to restore a backed-up GPO to its original location.
  • Remove-GPO Enables you to remove a GPO.

Backing up a GPO enables you to create a copy of a GPO as it exists at a specific decimal point in time. A exploiter must have read license on a GPO to back it up. When you back up a GPO, the accompaniment interpretation of the GPO is incremented. It is good practice to back up GPOs anterior to editing them so that if something goes amiss, you can revert to the unmodified GPO .
real global : Backing up GPOs
If your organization doesn ’ metric ton have access to the Microsoft Desktop Optimization Pack ( MDOP ), you should back up GPOs before you or other people modify them. If a problem occurs, it ’ sulfur immediate to restore a backup than it is to reconfigure the modify GPO with the existing settings. MDOP provides the ability to use GPO versioning american samoa well as early promote functionality .
To back up a GPO, perform the pursue steps :

  1. Open the GPMC.
  2. Right-click the GPO that you want to back up, and pawl Back Up. In the Back Up Group Policy Object dialogue box, shown in Figure 5-3, enter the location of the backup and a description for the stand-in .
    FIGURE 5-3
    FIGURE 5-3 Backing up a united states government printing office

You can restore a GPO using the Restore-GPO cmdlet. Restoring a GPO overwrites the stream version of the GPO if one exists or re-creates the GPO if the GPO has been deleted. To restore a GPO, right-click the Group Policy Objects node in the GPMC, and click Manage Backups. In the Manage Backups dialogue box, shown in Figure 5-4, select the GPO that you want to restore and click Restore. If multiple backups of the lapp GPO exist, you can select which translation of a GPO to restore .
FIGURE 5-4 Restoring a GPO from accompaniment

Import and copy GPOs

Importing a GPO enables you to take the settings in a backed-up GPO and import them into an existing GPO. To import a GPO, perform the follow steps :

  1. Right-click an existing GPO in the GPMC and click Import Settings.
  2. In the Import Settings Wizard, you are given the option of backing up the destination GPO’s settings. This enables you to roll back the import.
  3. Specify the folder that hosts the backed-up GPO.
  4. On the Source GPO foliate of the Import Settings Wizard, shown in Figure 5-5, select the source GPO. You can view the settings that have been configured in the generator GPO prior to importing it. Complete the charming to finish importing the settings .
    FIGURE 5-5
    FIGURE 5-5 Importing GPO settings

Remember that when you import settings from a backed-up GPO, the settings in the backed-up GPO overwrite the settings in the destination GPO .
Copying a GPO creates a newly GPO and copies all configuration settings from the original to the new. You can copy GPOs from one knowledge domain to another. You can besides use a migration table when copying a GPO to map security principals referenced in the source domain to security principals referenced in the destination domain .
To copy a GPO, perform the play along steps :

  1. Right-click the GPO that you want to copy and click Copy.
  2. Right-click the location that you want to copy the GPO to and click Paste.
  3. In the Copy GPO dialogue box, choose between using the default option permissions and preserving the existing permissions assigned to the GPO ( see Figure 5-6 ) .
    FIGURE 5-6
    FIGURE 5-6 Copying a GPO

Fixing GPO problems

Windows Server 2012 and Windows Server 2012 R2 include instruction line utilities that allow you to repair GPO after you perform a world rename or animate default GPOs. If you need to recreate the nonpayment GPOs for a knowledge domain, use the DCGPOFix.exe command. If you perform a domain rename, you can use the GPFixup.exe instruction to repair name dependencies in GPOs and Group Policy links .

Migrate Group Policy Objects

When moving GPOs between domains or forests, you need to ensure that any domain-specific information is accounted for, so locations and security principals in the source sphere aren ’ thymine used in the finish domain. You can account for these locations and security system principals using migration tables. You use migration tables when copy or importing GPOs .
migration tables enable you to alter references when moving a GPO from one knowledge domain to another, or from one forest to another. An example is when you are using GPOs for software deployment and indigence to replace the savoir-faire of a shared booklet that hosts a software initiation file so that it is relevant to the target world. You can open the Migration Table Editor ( MTE ), shown in Figure 5-7, by right-clicking Domains in the GPMC, and clicking open Migration Table Editor.

FIGURE 5-7 Opening the MTE
When you use the MTE, you can choose to populate from a GPO that is in the current domain, or choose to populate the MTE from a backed-up GPO. When you perform this legal action, the MTE will be populated with settings that reference local objects. If, when you perform this action, there are no results, then no local locations are referenced in the GPO that you are going to migrate .
MORE INFO : Working with migration tables
You can learn more about working with migration tables at hypertext transfer protocol : // .

Delegate GPO management

In larger environments, there is more than one person in the IT department. In very large organizations, one person ’ second stallion job province might be creating and editing GPOs. Delegation enables you to grant the permission to perform specific tasks to a specific exploiter or group of users. You can delegate some or all of the succeed Group Policy management tasks :

  • GPO creation
  • GPO modification
  • GPO linking to specific sites, organizational units (OUs), or domains
  • Permission to perform Group Policy Modeling analysis at the OU or domain level
  • Permission to view
  • Group Policy Results information at the OU, or domain level
  • Windows Management Instrumentation (WMI) filter creation

Users in the Domain Admins and Enterprise Admins groups can perform all Group Policy management tasks. Users that are members of the Group Policy Creator Owners domain group can create GPOs. They besides have the proper to edit and delete any GPOs that they have created .
You can delegate permissions to GPOs directly using the GPMC, as shown in Figure 5-8 .

Creating GPOs

If you want to delegate the ability for users to create GPOs, you can add them to the Group Policy Creator Owners group. You can besides explicitly grant them permission to create GPOs using the GPMC. To do this, perform the comply steps :

  1. Open the GPMC from the Tools menu of Server Manager.
  2. Expand the domain in which you want to delegate the ability to create GPOs, click Group Policy Objects, and click the Delegation tab.
  3. Click Add and select the group or user that you want to give the ability to create GPOs in that domain.

tick.jpg Quick check

  • What group should you add users to if you want to enable them to create GPOs in the sphere, but not add them to the Domain Admins or Enterprise Admins groups ?
    Quick check answer
  • Add them to the Group Policy Creator Owner group.

Editing GPOs

To edit a GPO, users must be either a extremity of the Domain Admins or Enterprise Admins group. They can edit a GPO if they created it. They can besides edit a GPO if they have been given Read/Write permissions on the GPO through the GPMC .
To grant a exploiter license to edit a GPO, perform the follow steps :

  1. Click the GPO in the GPMC.
  2. Click the Delegation check, as shown in Figure 5-9 .

    FIGURE 5-9
    FIGURE 5-9 Delegating permissions

  3. Click Add, specify the user or group that should have permission to edit the GPO, and then specify the permissions that you want to give this user or group. You can choose from one of the take after permissions :
    • Read
    • Edit Settings
    • Edit Settings, Delete, Modify Security

Linking GPOs

To enable a drug user to link a GPO to a specific object, you need to edit the permission on that aim. You can perform this task in the GPMC, as shown in Figure 5-10. For case, to grant a exploiter or group license to link a GPO to an OU, select the OU in the GPMC, select the Delegation tab key, chink Add, and then select the exploiter or group to which you want to grant this license .

FIGURE 5-10 Delegating connection GPO license

Modeling, results, and WMI filters

Delegating permissions to perform tasks related to Group Policy Modeling and Group Policy Results is performed at the domain flat, as shown in Figure 5-11. You can delegate the ability to create WMI filters by selecting the WMI Filters node in the GPMC and granting the permission on the Delegation yellow journalism .

FIGURE 5-11 Delegating Group Policy Modeling and Group Policy Results permissions

Lesson summary

  • Each time you back up a GPO, it creates a copy of that GPO at a particular point in time.
  • Restoring a GPO overwrites the existing GPO if it still exists, or recovers it if it has been deleted.
  • Importing a GPO overwrites the settings in the destination GPO with the settings from the imported GPO.
  • Copying a GPO creates a duplicate of the GPO.
  • You use migration tables when moving GPOs between domains and forests to account for local references in the source domain.
  • You can delegate the permission to create, edit, and link using the GPMC. Non-administrative users can then perform some Group Policy tasks, such as editing policies, without giving them unnecessary privileges.

Lesson review

Answer the adopt questions to test your cognition of the information in this lesson. You can find the answers to these questions and explanations of why each answer option is discipline or faulty in the “ Answers ” incision at the end of this chapter .

  1. You have 200 person GPO settings in a backed-up GPO named Melbourne-2012 that you want to include in an existing GPO named Sydney-2013. Which of the postdate Windows PowerShell cmdlets should you use to accomplish this goal ?
    1. Backup-GPO
    2. Import-GPO
    3. Restore-GPO
    4. Copy-GPO
  2. prior to editing a Group Policy, your assistant makes a accompaniment of the GPO that she is going to edit. unfortunately, she makes a mistake in configuring the GPO. You need to revert the GPO to the state of matter it was in prior to your assistant ’ s edits. Which of the following Windows PowerShell cmdlets should you use to accomplish this goal ?
    1. Copy-GPO
    2. Restore-GPO
    3. Import-GPO
    4. Backup-GPO
  3. You want to copy a GPO from one world to another in a forest. Which tool should you use to ensure that references to objects in the informant world updated are relevant to the destination knowledge domain ? ( Choose all that apply. )
    1. Active Directory Sites and Services
    2. Active Directory Users and Computers
    3. Migration Table Editor
    4. Group Policy Management Editor
  4. Which of the pursuit security system groups have the right to create GPOs by nonpayment ? ( Choose all that apply. )
    1. Group Policy Creator Owners
    2. Enterprise Admins
    3. Domain Admins
    4. Domain Controllers
  5. You are about to make solid modifications to the nonpayment world GPO. You want to ensure that you can return to the current state of matter of the GPO if the modifications cause problems. Which of the play along Windows PowerShell cmdlets should you use ?
    1. Copy-GPO
    2. Restore-GPO
    3. Import-GPO
    4. Backup-GPO
source :
Category : Tech

About admin

I am the owner of the website, my purpose is to bring all the most useful information to users.

Check Also


Manage participants in a zoom meeting webinar

Call the people who attend the meet as follows Alternate host host Who scheduled the …

Leave a Reply

Your email address will not be published.