Join Rick Trader for an in-depth discussion in this video Group Policy management, part of Windows Server 2012 Group Policy.
- View Offline
- Now that you've got your group policy environment in place and you started deploying group policies out to your environment at the OU level, whether it be at computers or affecting your users, there's now some management tasks that we need to take care of with inside the environment. In this session, we'll be looking at how can we back up and restore all of our group policy objects, or how can I back up and restore an individual group policy object? We'll look at a feature that Microsoft gave us with Group Policy Management Console in Server 2003 that allows us to copy a group policy object.
Let's say, for instance, Adam has created the greatest group policy ever for locking down users inside their organizational unit. You need the same type of policy for your organizational unit, so you can go out and you can actually now copy Adam's group policy object and apply it to your users, which is actually a really cool feature, without having to recreate it altogether. There also may be situations where we have a group policy object that was written in another domain or if we use a Microsoft Security Compliancy Management tool we may decide we want to use one of their built-in, or one of their canned group policy objects that we want to apply to a given organizational unit.
In that case, we would need to import a group policy object into our environment, but before we can import that object in, we need to look at what's called migration tables. So, in this session, we'll be looking at backing up and restoring, copying, how to create or what are migration tables, then finally, how do we export or import a group policy object. With that said, backing up and restoring. In my environment, by default, when I backup system state, the sysfile folder gets backed up. So does active directory.
So, when we backup sysfile, we backup ad, we're going to get a backup of our active directory structure, which includes our group policies. Let's say, for instance, we're going to go in and we want to make changes to an individual policy. Before we make changes to that individual policy, we might want to think about backing that policy up, in the event that that policy doesn't do what we want it to do, we can actually restore it back to what that policy was. Better yet, what if someone inadvertently deleted an individual policy and I want to restore that policy.
It's much easier to back it up and restore it inside the Group Policy Management Console, or there are some group policy scripting tools we can use. There's also some PowerShell tools that we can use to accomplish these same tasks. I'm going to go into my Group Policy Management Console on my server here and in this environment, I've already created a OU structure for Arizona, New Mexico, New York, and Texas. I've already created some group policy objects throughout my environment. I've got a group policy object that locks down some kiosk machines in the environment.
I've got a group policy object that's going to restrict use of the control panel for non-administrative personnel and non-managers. I've also got a group policy that's going to lock down some temporary contract employees. You can read what I've got going here. These policies are linked throughout the Arizona Phoenix Design OU. Here's the first situation. Let's say, for instance, I want to make changes to this AZ Temp and Contract employees. First of all, if I come down and I click on the policy, it'll show me that the policy is currently linked to a users container underneath Arizona/Phoenix/Design/Users.
So if I were to come under here, it shows me the policies linked right here. This policy is live, so if I make any changes to the policy right now, if the user or a computer were to start up in this environment, that policy's going to take immediate effect. What I can do if I wanted to make changes and not have it felt, is I can secondary click on the policy, there's an option here to link enable and I can unlink it. What that will do is any policy that's currently out there, when a computer starts up or a user logs on, they'll get those cast credentials.
It's not like removing the policy. But any user that logs on or a computer that starts up that's in this OU structure won't read the policy. So this allows me to safely manipulate the policy. I come down here and let's say, for instance, I'm going to make changes to this policy, but before I make changes to it, I should back it up. What I'm going to do is I'm going to show you how to backup all the policies at one time and then I'll show you how to restore an individual policy. If I click on group policy objects, there's an option to backup all.
I'm going come down to Browse and I'm going to create in root of my C drive a folder and I'm just going to call it gpobackups to make it easy to find. Then select that folder, hit OK, and then I can give this particular backup I'm running a description. I'm just going to call it demo 1 and hit Back Up. This is now going out and it's backing up every policy in the domain.
Not just the policies that are in my OU, every policy in the domain. I hit OK. The policies are now backed up. Now I can go in and I can make changes to this individual policy. Let's say I make the changes and I go, "Oh man, that's not what I wanted "and oh, I can't remember what it was before." I can actually secondary click on this policy and I can restore from backup. Next, and that's going to browse right back to that exact same folder I was in. Picks that policy, Next, Finish, and I've just restored that policy to what it looked like before I started making changes.
That's if I had backed up all the policies. I can also, if I'm going to make changes to this policy as an individual, I can secondary click on the policy, do a backup, and now I can back it up to the same folder. I'll do pre changes, and I backed up the individual policy. I go make the changes, then I realize that's not what I wanted. I want to roll back to the previous set of changes.
I can secondary click on the policy, restore from backup, Next, same folder, and notice this time it gives me an option, which do I want to restore. Do I want to restore the one that was done as all the policies, or do I just want to restore the one that I just took? The other advantage to this is, let's say, for instance, we have the ability to delete policies and someone comes along - And notice right now on this policy I have it filtered to Temp and Contract employees on this OU.
But let's say, for instance, somebody accidentally - I'm not going to say intentionally. Someone accidentally deleted the policy. What they really wanted to do was, under the users container, they only wanted to unlink it, but they accidentally deleted it. This is where I can come into my group policy objects container, I can secondary click on it, and I have the option to manage all backups. Here are all my policies that I have in this backup folder. Here's the one I backed up just a few seconds ago and here's the one that I did as a backup of all of them.
I'll go ahead and choose this one, I'll choose to restore. Yes, do I want to restore. It restores the policy. I want to show you there's a couple things that it did not do. What it did not do was it did not relink it. So, you have to remember where it was linked. The other thing it did not do was - Or I should say it did remember what the filters were on the policy. It didn't relink, but it did remember the filters.
If I come up to users and then I want to link an existing group policy object, then I can link that policy back. We've seen how to do backup an individual policy, how to backup all the policies the lane, how to restore an individual policy, or how to restore a policy that was inadvertently deleted. The next thing we want to look at then is how to copy a policy. This comes in really, really handy. This was an issue we had back in the Windows 2000 arena and an issue we had in Windows 2003 before Microsoft released the Group Policy Management Console.
Let's say, for instance, I have this policy here and I'll use the same one, AZ Temp and Contract employees. Removed and run reg editing tools. What's cool is this isn't linked to my Arizona/Phoenix/Design/Users OU and it's filtered on a specific group called Temp and Contract Users. What it's going to do is it's removing the run command and registry editing tools, just like it says it does. But let's say, for instance, we've got that administrator out there, who's been delegated administrative rights of the New York OU.
John looks at this policy and goes, "That's the greatest policy ever and I'm kind of lazy, "so I'm not going to recreate the policy." They come down here to their New York OU and let's say they have the same structure that I had. For simplicity's sake, I'm just going to do it to New York. they secondary click, they link an existing policy, they find my policy, and they hit OK. They now linked my policy to their OU. But their contract employees, their temp employees, the policy's not being applied to them, because their users are not a member of my group.
Notice, it also kept my filter. So, John, being the person he is, goes, "Oh, okay, that's what happened," and he comes in and he removes that group and he adds in - I'm going to have to go in here real quick, because I don't have a group specifically for John, so I'm going to imagine this group here says "John's Group". Hits OK and they come in and now it's affecting John's users, because now John's users are in this group.
What just happened? The next time a contract or temp employee logs into my environment, one of my contract or temp employees logs in, they're no longer feeling this group policy, because they're no longer in the group that's being filtered. What should John have done? He could've done one of two things. Instead of deleting my group out of there, John could've added his own group. Or, what John could've done was - Here's my group policy.
Notice its name, AZ Temp and Contract. Has nothing to do with the fact that it's linked to John's OU. I'll come up and I'll remove it from John's OU. What John could've done was secondary clicked on here and done a copy, right-click on the group policy objects, and paste. Notice it asks, do you want to paste default permissions, which will replace my users, my AZ temp and contract users, with the authenticated users group, or do you want to preserve permissions? Well, in John's case, preserving permissions won't do him any good, so John would go ahead and say, "Set default permissions." Hits OK, OK.
He now gets a brand new group policy object called "Copy of" and then John can secondary click on this and rename it. Instead of being AZ Temp employees and users, he can rename this New York. Remember the commercial, New York City? John, being from New York City, is his temp and contract employees. He now can come in here, remove the authenticated users group, if that's what he wants to do and add in his group. Again, I'll just pick a group, because I haven't created a group specifically for John, because that's not my OU, that's John's OU, so I'll come down here and I'll just grab this sales temp users.
Then, notice if I come up to my OU up here, my group policy object, notice it didn't change mine. Actually, it's still there from when John changed it the first time, darn him. Anyway, you've got to watch guys like that. I'll come down to my AZ Temp and Contract users. (mumbling) We'll use that group right there.
Now John comes up here and he would link it to his group and then he would right-click, link an existing group policy object. He would now do the New York Temp and Contract, remove contract users, and notice that when he clicks on it, it maintains his group of users, not affecting mine. That would be the best way to do it. If someone out there has a group policy that you want to mimic theirs, instead of recreating it from scratch, because you run the risk of these kids not paying attention to what you want to do and not selecting what you want, copy the group policy object, paste it, rename it, and then you're ready to go.
The next thing we want to talk about is migration tables. One of the things about group policy is when you apply group policies, group policies do not apply from domain to domain. What happens is, if there's a group policy object that's in domain A, then you want that policy to be in your environment, chances are the users groups in the original domain do not map to the same groups in your domain, servers in the original domain to do not map to servers in your domain, UNCs in the original domain do not map to your domain.
So, what happens is I can come up here to my domain environment, secondary click, and I have the ability to create a migration table. When I create this migration table, I can actually come in here, put in what was the source name. //Texas.server1.whatever and I can map it to AZ Server One. It allows me to map those resources, or what was in the group policy object I'm pulling from one domain into the new domain.
I can do it for groups. Maybe this in the original domain map to a group called Texas Contract Users. Now I want to map it to Arizona Contract Users. This allows me to map them across. What's nice is when I do this, let's say, for instance, I had an environment, and I'll go ahead and talk about the export and import now, is the way we export a group policy is, notice if I secondary click on any one of my policies, there's no option to export.
What I can do is just backup. What I'd do is I'd backup that group policy to removable media and then I would get that removable media to the new environment. Once that's been to the new environment and I want to bring in a new policy. Let's say, for instance, this policy here is what I want to be - This is the original. I would then come to this policy, secondary click on it, and import it. I do Next, I can backup my current policy (mumbling) had no settings in it.
Next, I browse to that removable location of where the policy is. Next, and then I select the policy I want to import. In this case, there would only be one policy there. The one I'm wanting to import. So I'll grab the - I hadn't backed it up, so I'll just grab this one. I'll do a Next and notice it's scanning it. I'll do a Next and because this was actually created in the same domain, there was no option for me to create a migration table.
If these had been created in two separate domains, when I did right here, scan results, it would say, "There are things in this domain that may not match up "to things in your domain. "Would you like to create a migration table?" This would actually take you to a wizard that allows you to create a migration table. It's sees server one in the source domain and that's actually 2012 server one in the new domain. The group in the source domain was called Texas Contract Employees and in the new domain it is Arizona Contract and Temp Employees.
It allows you to create that migration table on the fly, without having to do it blind from just the wizard from on the domain itself. I hit Next, Finish, and it imports that group policy in. All the settings that would've been in that policy in that domain. This is the way we utilize the Microsoft Security Compliance Manager tool, the SCM tool. We download from Microsoft SCM. SCM will have a part of it, canned group policy objects that allows us to lock down computers, lock down Windows 7 boxes, Win 8 boxes, lock down servers, lock down Internet Explorer, lock down Exchange.
It has all these built in policies for locking these down. I export them out of the SCM as a group policy backup object and then I create a group policy object in my new domain, or in the domain and I import those settings I just backed up out of SCM. When I do that I will see the option for the migration tool. We allow it to create those migration tables. In this session, some of the things we looked at really, really quickly is how to backup and restore group policy objects in the event a group policy object were to get corrupted or were to become inadvertently deleted.
We looked at how to copy group policy objects so that one administrator can copy another administrator's group policy object without affecting the filters. We looked at what a migration table is and what it's used for and we looked at how to export and import group policy objects. In reality, "exporting" is probably the wrong term, but that's what they refer to it as. It's really we do a copy to removable media and then we import it into the new environment.
Even though it's referred to as exporting and importing, keep in mind there's truly no export option in the group policy interface.