Group Policy Group Policy is not a new technology for Active Directory, but it has grown and improved with every iteration of the operating system and service pack since it was first introduced in Windows 2000. Changes and enhancements have come for managing Group Policy (the Group Policy Management console and the Group Policy Management Editor), managing available settings (with now more than 5,000 settings), controlling targeting objects, and troubleshooting your Group Policy infrastructure. 1
Administrators configure and deploy Group Policy by building Group Policy objects (GPOs). GPOs are containers for groups of settings (policy settings) that can be applied to user and computer accounts throughout an Active Directory network. It is possible to create one all encompassing GPO or several different GPOs, one for each type of function. There are two major nodes in the GPME (Group Policy Management Editor ): Computer Configuration and User Configuration. The computer configuration policies manage machine specific settings such as disk quotas, security auditing, and Event Log management. User configuration policies apply user specific settings such as application configuration, Start menu management, and folder redirection. 2
Linking This act of assigning GPOs to a site, domain, or OU is called linking. GPOs are storedin two parts a Group Policy container (GPC) and a Group Policy template (GPT), which is afolder structure in the sysvol. The container part is stored in Active Directory and contains property information, version information, status, and a list of components. The folder structure path is Windows\SYSVOL\sysvol\<Domainname>\Policie s\guid\ where GUID is the globally unique identifier for the GPO. Each GPO contains many possible settings for many functions; You only a handful of them in each GPO. The others will be left inactive You cannot specify several settings in a GPO and then choose what to apply to whom it is an all or nothing If you wish different settings to be applied to different users or groups thereof, create different GPOs and link them to the different groups of users There is an exception, the new Group Policy preferences that are delivered with Windows Server 2008 and Vista SP1 and win 7. All the Group Policy preferences come with item level targeting, which is at the policy setting level. 3
POLICIES ARE INHERITED AND CUMULATIVE Group Policy settings are cumulative and inherited from parent Active Directory containers. User accounts and computer accounts that are located in the OUs receive settings from both the GPO linked to the domain and the GPO linked to the specific OU. Some blanket policy settings can be applied to the entire domain, while others can target accounts according to OUs upon which they are linked. GROUP POLICY REFRESH INTERVALS 4
Policies apply in the background every 90 minutes, with up to a 30 minute randomization to keep the domain controller from getting hit by hundreds or even thousands of computers at once. DCs refresh group policies every five minutes. There is also a policy to configure all of these settings which we will look at later Exceptions to the refresh interval include folder redirection software installation, script application, Group Policy preference printers, and Group Policy preference drive maps. These are applied only at logon (for user accounts) or system startup (for computer accounts) LOCAL POLICIES AND GROUP POLICY OBJECTS 5
When you open the Group Policy tool (gpedit.msc), it automatically focuses on the local machine GPO Administrators can use the tool to configure account settings (such as the minimum password length and number of bad logon attempts before locking the account), to set up auditing, and to specify other miscellaneous settings. The domain based policy editor, the Group Policy Management Editor, includes a number of settings (including software installation and folder redirection) that are not available for local policies. If you happen to be working on a Windows Server 2008 or Vista or Windows 7 computer, you have more than the local GPO (LGPO) that you can configure. On these computers, you also have GPOs that can target groups of local users (Administrators or Non Administrators LGPO) and individual users (User Specific LGPO). To access both of these local GPOs for editing, follow these steps: Select Start Run. Type MMC in the Open text field 6
From within the MMC console, select the File menu from the toolbar. Select Add/Remove Snap in from the dropdown menu. Select Group Policy Object Editor from the list of snap ins. Click Add Leave Local Computer as the entry under Group Policy Object. 7
Click the Browse button. Select the Users tab in the Browse for a Group Policy Object dialog box. Select Administrators from the list, and then click the OK button. Do the same again for the Non Administrators Click OK in the Add or Remove Snap ins dialog box. Expand the Local Computer\Administrators Policy node in the console window 8
As you can see in the selection, you could also choose individual users The user must have an account in the local SAM of the computer that you are configuring. DOMAIN BASED GPOS, For this Lab create a new OU called Desktops in ADUC 9
To manage Domain based Group Policy Objects we use the Group Policy Management Console (GPMC) To open GPMC, Click Start Administrative Tools Group Policy Management Once Selected, the GPMC tool opens and displays the domain in which your management computer has membership To create a new GPO in the domain, you will need to expand the GPMC structure such that you can see all the nodes that exist under the domain 10
To create a GPO in the domain, follow these steps: Right click the Group Policy Objects node, and select New. In the New GPO dialog box, type the name for the GPO (in this case Desktop Security), and then click the OK button. This will create a GPO called Desktop Security, which is not linked to any container in the domain yet. You will want to configure the GPO settings and then link it to the site, the domain, or an OU 11
Linking a GPO To link a GPO to a node in Active Directory, Right click the desired node, in this case Desktops OU. Select the Link an Existing GPO menu option. In the Select GPO dialog box, select the Desktop Security GPO, and then click the OK button. The Desktops OU now has a linked GPO associated with it. 12
If you want to create and link a GPO to an OU, You can do this in just a single step. Right click the OU (or domain or site), Select the option called Create a GPO in this domain, and link it here. This will perform both steps in just a single action. Click the GPO, The GPO has some tabs and properties associated with it in the right pane of the GPMC. Four tabs are associated with each GPO: Scope, Details, Settings, and Delegation The Scope tab helps keep track of many aspects of the GPO. The most important of these details includes which Active Directory nodes the GPO is linked to, indicated by the uppermost area named Links and the middle area named Security Filtering. 13
WMI filters allow the targeting of GPOs to computer accounts dependent on the state of the computer at the time the WMI query is run. The Details tab, helps keep track of the GPO information that is associated with the creation and state of the GPO. Here you will be able to track down the creation date, version, etc. related to the GPO. You can also configure whether all or part (computer and/or user) of the GPO is enabled or disabled. The Settings tab contains dynamic data related to the settings that are configured in the GPO. The tab displays an HTML version of the settings report 14
The Delegation tab shows the current security controlling the administration of the GPO. There are three different levels of administration of the GPO on this tab, Two include editing the GPO, where one is just reading the settings of the GPO. Modifying a GPO Right click the GPO, and click Edit. Please note that whether you edit the linked version or the actual Group policy object, it will be the actual policy which will be modified making changes to any linked version This will open the GPME in a separate window, and you ll see the policy object name at the root of the namespace, in this case Desktop Security Policy. 15
There are two major types of settings, as we mentioned earlier. Computer Configuration settings are applied to computer accounts at startup and during the background refresh interval. User Configuration settings are applied to the user accounts logon and during the background refresh interval. Different policies are set in different ways, For example: To specify software packages under Policies\Software Settings\Software Installation, open the folder and choose New Package from the Action menu. Different policies are set in different ways, For example: An Open dialog box asks for the location of the package. Once you ve located and selected it, you configure the package properties. 16
Different policies are set in different ways, For example: To set the interval that users can wait before changing passwords, go to Policies\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. Different policies are set in different ways, For example: Double click Minimum Password Length in the details pane on the right, enable the setting by clicking the Define This Policy Setting check box, and supply a number of characters. Once you ve configured your Group Policy settings, simply close the GPME window. There is no Save or Save Changes option. Changes are written to the GPO when you click OK or Apply on a particular setting, although the user or computer will not actually see the change until the policy is refreshed. 17
General GPO Information When you delete a GPO, all of the policy settings are removed GPOs live partially in the Active Directory and partly in sysvol Both Active Directory and sysvol replicate themselves automatically Computers constantly check to see if there are new policies to be applied every 90mins + Group Policy was created as part of Windows 2000 and won t work on earlier operating systems. GROUP POLICY POLICIES There are GPO settings to control the behaviour of Group Policy and some of its settings. Most of these settings don t need to be configured, but some times you may need to make minor adjustments There are GPO settings for both user and computers 18
You can find the GPO settings to control Group Policy under Administrative Templates of both the User Configuration and Computer Configuration nodes (Policies\Administrative Templates\System\Group Policy). Group Policy Settings Group Policy refresh intervals for users/computers/domain controllers These separate policies determine how often GPOs are refreshed in the background while users and computers are working. These parameters permit changes to the default background refresh intervals and tweaking of the offset time. Group Policy Settings Turn off background refresh of Group Policy If you enable this setting, policies will be refreshed only at system startup and user logon. This might be useful for performance reasons in your branch offices, since having 1,500 computers refreshing policies every 90 minutes could cause congestion over the WAN. 19
See page 372 of book for more Policy settings HOW GROUP POLICY IS APPLIED When you have multiple group policies set up, it is important to understand the order Policies are loaded from a bottom up approach Here the Environment GPO, is applied first Then Desktop backgrounds then Desktop security 20
If you wish to change the order to which they are applied you can use the up and down arrows The previous order applies when we have multiples of GPOs being applied to the same node Policies can also be applied to different AD nodes Sites can have linked GPOs, and no matter what domain s machines and users are in that site, those policy settings within the GPO will apply. OUs can have linked GPOs. (OUs can also contain OUs which contain OU s), any of these OUs in the chain can have a GPO linked to it. There are also local policies 21
Policies are applied in the following order: 1. Local policy 2. Sites 3. Domains 4. Organizational Units 5. Child OUs If the domain policy says, You must be logged in before you can shut down the machine and the OU policy says, Allow shutdown before logon, The OU policy takes precedence because it is applied last. FILTERING GROUP POLICY WITH ACCESS CONTROL LISTS There will be times when you only want GPO s to apply to certain users or groups of users To enable us to restrict who a GPO applies to, we can use Access Control Lists. We use our Group Policy Management Console to view and set ACL s on GPOs 22
Click on any GPO and select the delegation Tab To view the full ACL, you must first select the Delegation tab and then click the Advanced button It may happen that you create a GPO to restrict desktops and you don t want to apply it to a certain group of people. The group Authenticated Users includes everyone (user and computer accounts) but guests, so by default the GPO will apply to everyone but guests; that means even Domain Admins and Enterprise Admins will receive the policy settings. 23
To prevent Domain Admins and Enterprise Admins from receiving this policy, you must select the Deny box next to Apply Group Policy You can also remove the Authenticated Users group from the Security Filtering part of the Scope tab, add all the users who need to have the settings to a security group, and then add the security group to the Security Filtering part of the Scope tab ENFORCING AND BLOCKING INHERITANCE 24
The Block Inheritance setting is a special setting on an AD node (domain or OU) to prevent higherlevel GPOs from trickling down. When the Block Inheritance setting is enabled, the settings of higher policies will not be applied to lower containers at all. To block inheritance Within Group policy management console Right click the Domain or OU you wish to block it at, choose Block Inheritance When Enforce is turned on for a GPO, the Block Inheritance setting is neutralized for the enforced GPO. Also, the settings in subsequent GPOs are prevented from reversing the ones in the Enforce enabled GPO. 25
To enforce a GPO Right click on the linked GPO Choose Enforce The Enforce and Block Inheritance settings are best used sparingly. Otherwise, in a troubleshooting situation it becomes rather complicated to determine what GPOs are applied where. GROUP POLICY EXAMPLE LAB : FORCING COMPLEX PASSWORDS 26
You want to create a highly secure password policy for users in the domain. You decide to create a GPO that has the following criteria: Complex passwords Minimum of 12 characters in the password To implement your solution, follow these steps: 1. Open GPMC. 2. Right click the domain node 3. Create a GPO in this domain, and Link it here. Type in New Password Policy for the name of the GPO. Click the OK. 4. Right click the New Password Policy GPO, and select Edit. 5. In the GPME, drill down through the Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy node. 27
6. Enable the Password must meet complexity requirements option, and then configure the minimum password length for 12 characters. 7. Exit the GPME. Create a user account and try to give it a short seven character password; you probably expect to get an error message. But you don t get one; the system accepts the short password despite the New Password Policy GPO. Every AD domain automatically gets a GPO called Default Domain Policy. When you created the new GPO, New Password Policy, the system placed it below the Default Domain Policy, as it does by default reading top to bottom, you can see the order in which policies were created or linked to the domain. 28
The Default Domain Policy object has only a seven character minimum password length! You could set New Password Policy to Enforce, but this seems like overkill in this situation. Instead, you can just move it above Default Domain Policy in the UI. The result: 12 character passwords. GROUP POLICY SETTING POSSIBILITIES 29
Group policies can be used for a number of tasks to include: Deploy software We can package software and install it to machines Set user rights the ability to log on locally, back up files Restrict the applications that users can run You can restrict a user to only be able to run specific programs Control system settings Environment settings, disk quotas etc. Set logon, logoff, start up, and shutdown scripts Trigger scripts to run General desktop restriction You can remove most or all of the items on a user s Start button, keep them from adding printers, prevent them from modifying her desktop configuration TROUBLESHOOTING GROUP POLICIES The Resultant Set of Policy (RSOP) Tool The Resultant Set of Policy tool, is built into Windows Server and XP/Vista and windows 7 systems. Without RSOP, you have to look at the properties of each site, domain, and OU to see which policies and containers are linked. Then you must view the ACLs and WMI information to see whether there s any filtering and also check out the Disabled, Block Inheritance, and Enforce options. Don t 30
The Resultant Set of Policy (RSOP) Tool The RSOP tool is easily launched by typing rsop.msc at the command prompt. When it is launched, it works out the resultant set of policy that has been applied based on the computer you are running it on and the user account that is logged in at the time the tool is run. The Resultant Set of Policy (RSOP) Tool Here you can see the default Domain policy settings specifying the 7 character minimum requirement Group Policy Modeling Wizard Inside the GPMC (Group Policy Management Console) is a tool that is similar to that of the localized version of the RSOP, but it allows you to query any computer and user on the network to get the RSOP 31
Group Policy Modeling Wizard To run Group Policy Modeling Wizard, click the action menu then Group Policy Modeling Wizard Group Policy Modeling Wizard When you launch the wizard, you will just need to provide the computer and user you want to find results for, and the wizard takes care of the rest Group Policy Modeling Wizard The initial wizard screen opens Click Next 32
Group Policy Modeling Wizard Choose the Domain and the controller (if desired) Group Policy Modeling Wizard Then you choose the Container, computer and or User Group Policy Modeling Wizard You can choose a site if relevant 33
Group Policy Modeling Wizard Choose the security group membership Group Policy Modeling Wizard Choose whether you wish to choose all or only specific filters Group Policy Modeling Wizard A summary is displayed 34
Group Policy Modeling Wizard The modeling wizard completes Click Finish Group Policy Modeling Wizard A summary report is generated Other TUI based tools are also available From the Command Prompt gpresult.exe gpotool.exe 35
KEEP IT SIMPLE Keep your policy strategy simple. Locate users and computers together in OUs if possible, and apply policies at the highest level possible. Avoid having multiple GPOs with conflicting policies that apply to the same recipients. Minimize the use of the Enforce and Block Inheritance settings. Document your Group Policy strategy. visually depict your policy structure and put it on the wall Test GPO settings before deployment 36