Group Policy
One of the most important system administration features in Windows 2000 and
the Active Directory is the use of Group Policy. Through the use of
Group Policy Objects (GPOs), administrators can easily define
restrictions on common actions and then apply these at the site, domain,
or organizational unit level.
Group Policy settings are based on Group Policy administrative
templates. These templates provide a list of user-friendly configuration
options and specify the system settings to which they apply. In addition,
administrators and application developers can create their own Administrative
Template files.
Group Policy settings can apply to two types of Active Directory objects:
Users and Computers. The main types of settings that can be configured with
User and Computer Group Policies are as follows:
- Software Settings - Software settings apply to specific applications and software that might be installed on the computer. These templates allow administrators to assign and publish software to end users.
- Windows Settings - Windows settings options allow administrators to customize the behavior of the Windows operating system. The options vary from user to computer, the user specific section contains options such as default home page, the computer settings include security options such as logons, etc...
- Administrative Templates - Settings that modify the registry settings that control User Environments. Administrators can create their own templates here.
Most Group Policy items have three different settings options:
- Enabled - The settings for the GPO has been configured. Some settings require additional values or options to be set.
- Disabled - Disabling a GPO setting is a setting. Disabled is a setting that specifies that the administrator wants to disallow certain functionality.
- Not Configured - Specifies that these settings have been neither enabled nor disabled. This is the default setting for most objects. This is a neutral selection, as if the policy does not exist.
Group Policy Objects
Group Policies may be contained in items called Group Policy objects (GPOs).
Group Policy Objects (GPOs) act as containers for the settings made
within Group Policy files, which simplifies the management of settings.
Group Policy settings are hierarchical, they can be applied at three
different levels:
- Sites - At the highest level, GPOs can be configured to apply to entire sites within an AD environment. These settings apply to all of the domains and servers that are part of a site.
- Domains - Domains are the second level to which GPOs can be assigned. GPO settings that are applied at the domain level will apply to all of the User and Computer objects within the domain. This is a common level for master GPO settings.
- Organizational Units - The most granular level of settings for GPOs is at the OU level. With a well structured OU layout, GPO assignments at the OU level will provide good corporate wide control of the network.
As an example, an administrator may apply a domain wide GPO which enforces
a minimal of 6 characters for user logon passwords. If the organization had
a highly secretive research division, an administrator could require that all
network communications within that OU use IPSec (encryption).
Group Policy Inheritance
Suppose a GPO at the site level specifies that users are to change passwords
ever 60 days while a GPO at the OU level specifies that they must change
passwords every 90 days. With inheritance, the settings at the most
specific level (in this case, the OU, which contains the User object) will
override those at the more general levels (in this case, the site).
Administrators can modify the behavior of inheritance, there are two main
options that can be set at the various levels to which GPOs might apply:
- Block Policy Inheritance - This option specifies that Group Policy settings for an object are not inherited from its parents. This is useful in instances when a child OU requires completely different settings from a parent OU.
- Force Policy Inheritance - This option can be placed on a parent object and ensures that all child objects inherit these settings. This will ensure that corporate policies will be enforced and cannot be overridden.
One final note on inheritance, if there is a conflict between the Computer
and User settings in Group Policy, the User settings will take effect. As
an example, if a Computer policy specifies a default Desktop environment,
and a User logged on to that computer has a another Desktop enviroment
setting, the User's specified Desktop will take effect. User settings are
more specific, which allows administrators to make changes for Users
regardless of the computer they use.
Group Policy Creation and Linking
There is one tool used to create Group Policy objects, but there are several
ways to access this tool. This tool may be accessed through the MMC snap-in
Group Policy, through the Active Directory Users and Computer, and through
the Active Directory Sites and Services.
Group Policy object link is a link between a Group Policy object and the
Active Directory objects to which it applies. Group Policy objects can be
linked to sites, domains, and organizational units.
To link a Group Policy Object to a site (at the site level), use the Active
Directory Sites and Services tool. To link a Group Policy Object to a domain
or OU, use the Active Directory Users and Computers tool. If you want to be
able to directly edit any GPO which may be linked to any AD object, you can
configure an MMC snap-in (saved) that will open that specific GPO to be
edited.
When linking within one of the Active Directory tools specified, right-click
the object which you want to link to a GPO, and choose properties. From the
properties sheet, select the "Group Policy" tab. Choose the "Add" button if
you have a previously created GPO you want to select. If you need to create
a new GPO, choose the "New" button.
Once a GPO has been linked or changed, the settings do not take place until
a user has logged off and then logged back on again (given they were logged
in when the changes were made). As an administrator, you can use Terminal
Services to quickly test your changes as different users.
If you go into the properties of a GPO, select the security tab, add a
security group to the groups, and then select to deny "Read" access and
deny "Apply Group Policy" to the security group, Users who are a member of
that group will be prevented from being affected by the policy. This is known
as "Filtering Group Policy using Security Groups". Filtering is the
process by which selected security groups are included or excluded from the
effects of the GPOs. To specify that the settings should apply to a GPO, you
should at least grant the "Apply Group Policy" and "Read" settings.
Group Policy Administrative Templates
Administrative Templates, created by system administrators and application
developers, provide common and useful items when configuring Group Policy
settings.
By default, there are several templates that are included with Windows 2000.
These are as follows:
- common.adm - Policy options common to both Windows 9x and NT 4 clients.
- system.adm - Policy options for Windows 2000 clients.
- inetres.adm - Policy options for configuring Internet Explorer on Windows 2000 clients.
- windows.adm - Policy options for Windows 9x clients.
- winnt.adm - Policy options for Windows NT 4 clients.
These administrative templates are located in the \WINNT\INF\ directory. The
use of the windows.adm, winnt.adm, and common.adm files is not supported in
Windows 2000 computers, they are provided for backward compatibility.
SECEDIT.EXE
This command refreshes system security by reapplying the security settings
to the Group Policy Object.
Syntax:
secedit /refreshpolicy machine_policy
secedit /refreshpolicy {machine_policy|user_policy}[/enforce]
Parameters:
machine_policy - Refreshes security settings for the local computer.
user_policy - Refreshes security settings for the local user
account currently logged on to the computer.
/refreshpolicy - Force a Group Policy propagation event.
/enforce - Refreshes security settings, even if there have
been no changes to the Group Policy object settings.
/validate - verfies the syntax of a template created using
Security Templates.
/analyze - Similar as in Security Configuration and Anylysis
/configure
/export
The above must be associated with a database which is denoted by the
/db switch.
You can import a template to the database with the
/cfg switch.
/verbose - Show extended detail.
/quiet - Suppress details.
Script policies can be set for the following events:
logon, logoff, startup, shutdown
In order to be accessible to other domain controllers, logon/logoff startup/
shutdown scripts should be placed in the SYSVOL share.
The name of the GPO that is created when a new domain is created is called
the "Default Domain Policy".
To redeploy an assigned or published package
Open the Software Installation snap-in.
Locate the Group Policy object that originally deployed the application.
Click the package name, or browse to locate the package.
Right-click All Tasks.
Click Redeploy Application.
Security settings (domain security policy or local security policy) are
configured through Group Policy. Account policies are used to control
the logon process. Local policies are used to define security policies
for the computer, such as auditing, user rights, and security options.
NT4's "system policies" are included for backward compatibility but it is
recommended to use "group policies" in Windows 2000.
Any domain security policies you define, override the local policies of
a Windows 2000 computer.
To create MSI files, use VERITAS software console and WinINSTALL Discover.
Loopback mode is when Computer GPOs are take precedence over User GPOs.
Computer Config\ Administrative Templates\ System\ Group Policy\
"User Group Policy loopback process enable"
When using Loopback mode, put all computers in which Loopback will be applied
in their own OU, apply Group Policy to the OU. Don't put any Users in this
OU.
To disable either User or Computer Configuration in a GPO when only the other
is needed (faster processing), go to the General tab on the properties sheet
of the GPO.
Run scripts through Group Policy instead of User properties. If both are
configured, the Group Policy scripts will run first.
Computer|User Config\ Windows Settings\ Scripts\
Startup scripts run syncronously
Logon scripts run asyncronously
The default timeout for scripts is 10 minutes, changes can be made @
Computer Config\ Administrative Templates\ System\ Logon\
"Maximum wait time for Group Policy scripts"
Computer Configuration\ HKLM\ Software\ policies\
User Configuration\ HKCU\ Software\ Microsoft\ Windows\ CurrentVersion\ polices\
Admin Templates SYSVOL\sysvol\domain_name\GPOGUID\Machine|User
To configure Group Policy Diagnostic Logging:
1. Increase the size of the application log (evntviewer)?.
2. HKLM\ Software\ Microsoft\ WindowsNT\ CurrentVersion\
3. New KEY "Diagnostics"
4. New DWORD value: "RunDiagnosticLoggingGlobal" = "1"
To configure Group Policy Verbose Logging:
1. HKLM\ Software\ Microsoft\ WindowsNT\ CurrentVersion\ Winlogon\
2. New DWORD value: "UserEnvDebugLevel" = "30002"
30000 - No logging
30001 - Errors and Warnings
30002 - Verbose
Security Policies
Account policies applied to a domain. If Account Policy GPO is linked to
an OU, it well be applied IF the user logs in with a local computer account.
To import a security policy:
Computer Config\ Windows Settings\ Security Settings\
Right-click Security Settings and choose "Import Policy".
Security settings are persistent (settings remain in the computer's registry
after the GPO is no longer applied).
Group Policy object is stored in 2 places:
Group Policy Container (GPC) - Stores version increase information,
GPO attributes.
From AD Users and Computers, enable Advanced Features
domain\ system\ policies\
Group Policy Template (GPT) - Holds most of GPO settings, clients
connect to the SYSVOL share to get the GPT data to apply the GPOs.
A new folder heirarchy is created for each GPO created, the name
of the root folder is the GUID of the GPO.
%SYSTEMROOT%\SYSVOL\sysvol\%GPOGUID%
When a GPO is linked to a container, the container will have 2 attributes
set:
gPLink - prioritized list of GPOs linked to the container
gPOptions - container settings that prevent inheritance of GPOs.
Manage (edit/change/create) GPOs on the PDC Emulator. An Enterprise Admin
can edit a GPO for a site.
To link a GPO to a container, you must have read and write permissions to
container attributes: gPLink and gPOptions.
Group Policy refreshes every 90 minutes + random(30) minutes on Windows
2000 Professional and Member Servers. A Windows 2000 DC refreshes every
5 minutes. A refreshed GPO will not refresh folder redirection or software
deployment changes, the User must logoff and then back on.
A slow connection is < 500Kbs
If a container has more than one GPO linked and the GPOs conflict, the
following is true:
Site - Domain - OU. OU wins.
Linked to same container: top of list wins.
Between User and Computer: Computer
IP Security and User Rights: Last GPO processed?