Group Policy Explained Paul Semple psemple@rm.com *Group Policy is+ the ability for the Administrator to state a wish about the state of their Users environment once, and then rely on the system to enforce that wish. 1
What is Group Policy? What is a Group Policy Object (GPO)? How do we (RM) manipulate GPOs? Inside a GPO. Management and Configuration of a GPO. How GPOs are applied. Caveat *Group Policy is+ the ability for the Administrator to state a wish about the state of their Users environment once, and then rely on the system to enforce that wish. What is Group Policy? Rules that can be applied to a machine every time the operating system starts up and users login 2
Group Policies can: Configure user's desktops Configure local security on computers Install applications Configure Internet Explorer settings Redirect special folders What is a Group Policy Object (GPO)? Group Policy Objects (GPOs) are collections of Computer and/or User specific settings GPOs are designed as a way to globally modify user and computer settings through a controllable and manageable central interface How do we (RM) manipulate GPOs? 3
How do we (RM) manipulate GPO s User and Computer configuration in Community Connect based on Group Policy Community Connect ships with ready made GPOs Community Connect applies Group Policies to the Establishments OU Allows for the integration of non- Community Connect machines into your Domain Group Policy Administrative Tools Group Policy Administrative Tools 4
Group Policy Objects in more detail Use the Microsoft Group Policy Management Console (GPMC.MSC) to view GPO configuration and settings Managing Group Policy Prior to the GPMC Group Policy Management Console Think of the GPMC as a one-stop resource for managing your Group Policy needs http://www.microsoft.com/windowsserver 2003/gpmc/default.mspx (Only install on Windows Server 2003) 5
The GPMC provides an overview of the content of a GPO GPOs Under the Microscope Inside a GPO Divisions of a GPO (GPEDIT) Computer Configuration User Configuration Administrative Templates registry-based settings User Configuration settings modify HKEY_CURRENT_USER Computer Configuration settings modify HKEY_LOCAL_MACHINE 6
Polices are applied in a specific order Community Connect GPOs Establishments OU Remember the acronym LSDOU Local Site Domain Organisation Unit GPOs are applied from the bottom up GPOs are applied from the bottom up Last writer wins! 7
When is Group Policy Applied Start-up and Shutdown Logon and Logoff Defined Intervals Forced with GPUPDATE.exe How Group Policy Affects Startup and Log On Computer Policies: The network starts. A list of GPOs is obtained for the computer If no changes have been made to the list of GPOs, or the GPOs themselves, then no processing will be done Computer configuration settings are processed. No user interface is displayed while computer configuration settings are being processed. Start-up Scripts run The user presses Ctrl+Alt+Del to log on How Group Policy Affects Startup and Log On User Policies After the user is validated their profile is loaded A list of GPOs is obtained for the user Again If no changes have been made to the list of GPOs or the GPOs themselves then no processing will be done User configuration settings are processed in the following order: local GPO, site GPOs, domain GPOs, and OU GPOs. No user interface is displayed while user policies are being processed Logon scripts run The operating system user interface set by Group Policy appears 8
User Policies 4 Standard CC4 User Types; each correlating to an AD GPO Using Security Groups to Filter GPO Scope 9
Using Security Groups to Filter GPO Scope By default Authenticated Users have read and apply group policy rights. We (RM) refine this so that the appropriate GPOs are assigned to the appropriate users and computers GPOs can be disabled Entirely (for troubleshooting): Partially (performance): 10
GPO Components Group Policy Containers GPOs consist of two objects - a Group Policy Container (GPC) and a Group Policy Template (GPT) GPCs are stored in Active Directory View by enabling Advanced Features in AD Users and Computers, then System/Policies 11
GPO Components Group Policy Templates Group Policy Templates hold the policy settings that are applied to stations and users GPTs are stored in the file system of your domain controllers in: %SystemRoot%\SYSVOL\sysvol\<DomainName>\ Policies directory Standard UserType 8978D66E-EA13-4D17-A389-A93785F5DBC2 12
Which folders get populated depends on the GPO they relate to: The ADM Folder will be populated if the GPO is configured to specify custom registry settings The Machine Folder contains settings for the Computer part of the GPO Registry.pol (can also contain GptTmpl.inf security settings) The User Folder contains settings for the User part of the GPO Registry.pol GPT.ini records the GPO s version number How can I look at the registry.pol file contents? The registry.pol file contains the current set of registry policy settings defined in the computer or user portion of a GPO You can use the regview.exe tool provided in the Windows 2003 Resource Kit Tools to view the contents of any registry.pol file What happens on the station? Client Side Extensions (CSEs) interpret GPOs and make the changes to the environment Called by Winlogon at computer startup, user logon and Group Policy Refresh Interval CSEs are DLLs - each responsible for a specific policy 13
What happens on the station? Extension DLL Registry Userenv.dll Disk Quota Dskquota.dll Folder Redirection Fdeploy.dll Scripts Gptext.dll Software Installation Appmgmts.dll Security Scecli.dll IP Security Gptext.dll EFS Recovery Scecli.dll IE Maintenance Ledkcs32.dll Slow link detection using Internet Control Message Protocol (ICMP) Some policies not applied if link considered slow (Folder re-direction / IE maintenance) On boot: Client (Winlogon) uses LDAP to search and build list of GPOs to be evaluated for processing using GPLINK attribute of container Each GPO then searched in AD to check whether the user or computer has permissions to process it Path to GPT and version also evaluated GPT.ini version number checked 14
Container GPC What happens on the station if a GPO changes? Stations keep a record of the version numbers of the GPOs they have processed: HKLM\Software\Microsoft\Windows\Currentversion \Group Policy\History (Computer Policies) HKCU\Software\Microsoft\Windows\Currentversion \Group Policy\<SID of User> (User Polices) The GP version in the registry doesn t have to be smaller, it just has to be different Reflects the number of changes in the GPT and GPC, ensures they are in sync and, if not, initiates a policy refresh 15
Which Policies have been applied? Watermarks HKLM\Software\Policies\Research Machines\ Network Management\Computer Policies HKCU\Software\Policies\Research Machines\Network Management\User Policies 16
Speaking of SYSVOL Group Policy Replication In a domain that contains more than one domain controller, Group Policy information propagates, or replicates, from one domain controller to another ADM Templates Used to populate the Administrative Templates folder in Group Policy Editor D:\RMNetwork\RMManage\Type Manager\ADM Removal will not affect policies already defined Policies and Preferences A policy is a registry setting that lives either under \Software\Policies or \SOFTWARE\Microsoft\Windows\Current Version\Policies in the registry (in HKLM for machine policy settings and HKCU for user policy settings). All other registry values are called preferences. Policies Do not "tattoo. 17
3 rd party apps often not coded to take advantage of volatile registry areas To use GPOs to control these apps create a custom adm file: http://support.microsoft.com/kb/225087 To view ADM files which set preferences remove tick from Only show policies which can be fully managed Red for Preferences, Blue for Policies What can t GPOs do.and what else can they do? GPOs cannot control applications that do not store their settings in the system registry GPOs can give us control over desktop, control panel access, Start Menu and Taskbar, Windows components, and more GPOs can enforce security GPOs can redirect My Documents Aids in backup Allows creation of a standard desktop for multiple users 18
Software Restrictions 19
Software Restrictions Allows you to control what programs can run on the computer File rules (also know as hash rules) a cryptographic finger print Path rules allow or disallow all programs within a folder Summary A Group Policy Object is an object in Active Directory used to configure and apply settings for user and computer objects Two default GPOs created when Active Directory is installed: Default Domain Policy Default Domain Controllers Policy Summary Mechanisms for managing GPOS: GPMC GPEDIT RMMC GPOs can be used: to control user desktop settings and security settings to apply scripts on user logon and logoff and computer startup and shutdown for folder redirection 20
Summary GPOs are applied in a specific order GPOs are inherited by default Can be changed by blocking Group Policy inheritance, configuring No Override, or filtering using user permissions A GPO is a combination of the GPT and GPC. Need to know more? http://www.microsoft.com/grouppolicy http://www.microsoft.com/windowsserver2003/gpmc GPOs Hardcore seminar session! 21