Palo Alto Networks Knowledgebase: Using Active Directory GPO to Install the GlobalProtect Client
Using Active Directory GPO to Install the GlobalProtect Client
Created On 09/25/18 20:36 PM - Last Updated 02/08/19 00:06 AM
AD Group Policy Overview
Active Directory Group Policy allows you to manage your network from on high, governing how your users and computers operate within your AD environment. Policy settings can be created to target the logged-in user or the computer, and a variety of settings that can be configured, including software installation.
To apply policy settings to users and computers in your AD environment you must first configure a Group Policy Object (GPO), which resides in a special folder called “Group Policy Objects” within the AD domain. A GPO is a named collection of configured policy settings. The policy settings in the GPO aren’t enforced until the GPO is linked to an AD site, domain or organizational unit (OU).
Once the GPO is associated with one of these, the policy settings take effect for the users and computers defined within that container. If the GPO is linked at the domain level, the policy settings apply to the workstations and servers within the domain. If it is linked instead to the Marketing OU, for example, the settings apply only to computers inside that OU.
GPOs can be linked in multiple places such as two different OUs, and a site, domain or OU can have multiple GPOs linked to it. Group Policy works from the “outside in”, first processing any local policies, then applying the site, domain and subsequent OU GPOs and working its way toward the object’s position in the AD tree. If any policy settings conflict along the way, the last setting applied rules. Similarly, policy settings applied to user logons do the same, following the path to the user object’s resting place in the AD tree. AD will override policies set on the individual computer.
Group Policy is a “pull” technology. When a windows client system starts up and is connected to the network it will pull the policy and then poll the domain for GPO changes every 90 to 120 minutes by default. There are intervals for computer and user policy and both have a default offset of up to 30 minutes.
GlobalProtect and GPO
The GlobalProtect client can be installed as either a computer or user policy.
Use the Computer Policy to ensure that it is installed on specific systems regardless of the user.
Use the User Policy to ensure that specific users receive the client on all systems that they use.
Create and Link the GPO You can use the Group Policy Management MMC (Microsoft Management Console) to create and link the GPO.
Path: Active Directory Users and Computers > your domain> Properties > Group Policy
Path: Administrative Tools > Group Policy Management > Forest > Domain > your domain > Group Policy Objects