Chapter Overview Understanding Group Policies Implementing Group Policies Using Security Policies Troubleshooting Group Policy Problems 1 Understanding Group Policies Before attempting to implement group policies, you need to be familiar with concepts that affect group policy operations. Definition of group policies How to use the Group Policy snap-in Group policy settings How group policy affects startup and logon How group policy settings are processed How security settings can be used to filter group policy 2 What Are Group Policies? Group policies are collections of user and computer configuration settings that you can link to computers, sites, domains, and organizational units (OUs) to specify the behavior of users' desktops. To create a specific desktop configuration for a group of users, you create group policy objects (GPOs), which are collections of group policy settings. GPOs can be local or nonlocal. One local GPO is always stored on each computer running Microsoft Windows 2000. Nonlocal GPOs are linked to Active Directory objects (sites, domains, and OUs), and can be applied to either users or computers. 3 Using the Group Policy Snap-In Use the Group Policy snap-in to create, modify, and manage GPOs. There are two primary methods to open Group Policy: Create a new Microsoft Management Console (MMC) console and select Group Policy as a standalone snap-in. Select an object in an Active Directory management console, and access Group Policy as an extension snap-in. 4 The Group Policy Snap-In 5 Opening the Local Group Policy Snap-In The local group policies are those stored on each Windows 2000 computer. To open the Group Policy snap-in with a focus on local group policies: 1. Start a new MMC console. 2. Add the Group Policy stand-alone snap-in. 3. Select Local Computer in the Select Group Policy Object dialog box. 6 The Add Standalone Snap-In Dialog Box 7 The Select Group Policy Object Dialog Box 8 Opening the Group Policy Snap-In for Another Computer You can open the local GPO for another computer on the network if you have administrative rights to that computer. To open the Group Policy snap-in for another computer: 1. Start a new MMC console. 2. Add the Group Policy stand-alone snap-in. 3. Browse and select another computer in the Select Group Policy Object dialog box. 9 Opening the Group Policy Snap-In from Active Directory Users And Computers To access the Group Policy snap-in by using Active Directory Users and Computers: 1. Open Active Directory Users And Computers. 2. In the console tree, right-click the domain or OU you want to set group policy for, and then select Properties. 3. Click the Group Policy tab, select an entry, and then click Edit. 10 Opening the Group Policy Snap-In from Active Directory Sites And Services To access the Group Policy snap-in by using Active Directory Sites And Services: 1. Open Active Directory Sites And Services. 2. In the console tree, right-click the site you want to set group policy for, and then select Properties. 3. Click the Group Policy tab, select an entry, and then click Edit. 11 Group Policy Settings Group policy settings define the desktop environments for network users. Group policy settings are contained in a GPO. There are two types of group policy settings: Use computer configuration settings to set group policies for computers, regardless of who logs on to them. Use user configuration settings to set group policies that apply to specific users, regardless of which computer the user logs on to. 12 Software Settings Folder In both Computer Configuration and User Configuration, the Software Settings folder contains only Software Installation settings, by default. Use Software Installation settings to specify how applications are installed and maintained. Applications can be managed in one of two modes: Assigned or Published. 13 Software Settings Folder (Cont.) 14 Windows Settings Folder In both the Computer Configuration and User Configuration folders, the Windows Settings folder contains two items: Scripts and Security Settings. Use Scripts to specify startup/shutdown scripts (for computers) and logon/logoff scripts (for users). Use Security Settings to manually configure the security levels assigned to a GPO. 15 Windows Settings Folder (Cont.) 16 Windows Settings—User Configuration For only the User Configuration folder, Windows Settings also contains Internet Explorer Maintenance: lets you administer and customize Microsoft Internet Explorer Remote Installation Services: controls the behavior of remote operating system installations Folder Redirection: lets you redirect Windows 2000 special folders to an alternate location 17 Administrative Templates Folder For both Computer Configuration and User Configuration, the Administrative Templates folder contains all registry-based group policy settings, including settings for Windows Components System Network 18 Administrative Templates Folder (Cont.) 19 Administrative Templates Policy Settings More than 450 policy settings are available for configuring the user environment. In the registry Computer configurations are saved in HKEY_LOCAL_MACHINE (HKLM) User configurations are saved in HKEY_CURRENT_USER (HKCU) 20 How Group Policy Affects Startup and Logon The sequence for Computer Configuration and User Configuration settings when a computer starts and a user logs on is as follows: 1. The network starts. 2. The computer obtains an ordered list of GPOs. 3. The system processes the Computer Configuration settings. 4. Startup scripts run. 5. The user presses CTRL+ALT+DELETE to log on. 21 How Group Policy Affects Startup and Logon (Cont.) 6. After the user is authenticated, the computer loads the user profile. 7. The computer obtains an ordered list of GPOs for the user. 8. The system processes the User Configuration settings. 9. The computer runs the logon scripts. 10. The operating system interface prescribed by group policies appears. 22 How Group Policy Is Processed Group policy settings are processed in the following order: 1. Local GPO 2. Site GPOs 3. Domain GPOs 4. OU GPOs The GPO that is processed last overrides conflicting settings in all other GPOs that were processed earlier. 23 Group Policy Processing Order 24 Exceptions to the Default Processing Order Workgroup Membership: a computer that is a member of a workgroup processes only the local GPO. No Override: any GPO linked to a site, domain, or OU can be set so that none of its policy settings can be overridden. Block Policy Inheritance: at any site, domain, or OU, group policy inheritance can be selectively marked as Block Policy Inheritance. However, No Override settings cannot be blocked. Loopback: used to circumvent the normal order that GPOs are applied in. 25 Loopback Modes Loopback can be set to Merge or Replace mode. Replace: the GPO list for the user is replaced by the GPO list obtained for the computer at startup. Merge: the GPO list obtained for the computer at startup is appended to the GPO list obtained for the user at logon. 26 Group Policy Inheritance Group policies are typically passed down from parent to child containers in the Active Directory service. However, if you specify a group policy for a child container, the child container's group policy settings override any conflicting settings inherited from the parent container. If a parent OU has policy settings that are not configured, the child OU does not inherit them. Policy settings that are disabled are inherited as disabled. If a parent policy and a child policy are compatible, the child inherits the parent policy, and the child's setting is also applied. If a policy setting configured for a parent OU is incompatible with the same policy setting configured for a child OU, the child does not inherit the policy setting from the parent—instead, the setting for the child is applied. 27 Using Security Groups to Filter Group Policy Because you can link more than one GPO to a site, domain, or OU, you might need to link GPOs associated with other directory objects. By setting the appropriate permissions for security groups, you can filter group policy to influence only the computers and users you specify. 28 Lesson Summary Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to specify the behavior of users' desktops. The Group Policy snap-in is used to manage group policies. Windows 2000 applies GPOs in this order: local GPO, site GPOs, domain GPOs, and OU GPOs. By default, Active Directory objects inherit group policy settings from parent containers. 29 Implementing Group Policies You may have to modify the group policies in place on a network or create new GPOs. 30 Tasks for Implementing Group Policies You may need to perform numerous tasks to implement group policies. A few of these tasks are Creating a GPO Delegating administrative control of a GPO Specifying group policy settings for a GPO Indicating GPO processing exceptions 31 Creating a GPO The first step in implementing a group policy is creating a GPO. You also need to determine the type of Active Directory object you want to create a GPO for. 32 Creating a GPO (Cont.) To create a GPO: 1. For a GPO linked to a domain or an OU, open Active Directory Users And Computers, or for a GPO linked to a site, open Active Directory Sites And Services. 2. Right-click the site, domain, or OU object you want to create a GPO for, and then select Properties. 3. Click the Group Policy tab. 4. Click New and type the name you want to assign to the GPO. By default, the new GPO is linked to the site, domain, or OU that you selected, and the GPO settings apply to that site, domain, or OU. 5. Click Close. 33 The Group Policy Tab 34 Creating a GPO Console After you create a GPO, you can create a custom MMC console containing the Group Policy snap-in and focused on that particular GPO. To create a GPO console: 1. Start a new MMC console, and then add the Group Policy stand-alone snap-in to it. 2. In the Select Group Policy Object dialog box, browse and select the GPO on which you want to focus. 35 Default GPO Permissions Security Group Default Permissions Authenticated Users Read, Apply Group Policy, Special Permissions Creator Owner Special Permissions Domain Administrators Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions Enterprise Administrators Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions SYSTEM Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions 36 Delegating Administrative Control of a GPO To delegate administrative control of a GPO: 1. Open the Group Policy snap-in for the GPO. 2. Right-click the root node of the console, and then select Properties. 3. Click the Security tab. 4. Select a group and configure permissions to either allow or deny administrative access to the GPO. (Repeat this step as necessary.) 5. Click OK. 37 The Security Tab of a GPO Properties Dialog Box 38 Specifying Group Policy Settings for a GPO To specify group policy settings: 1. Open the Group Policy snap-in for the GPO. 2. Expand the console tree until the policy you want to set appears in the details pane. 3. In the details pane, double-click the policy you want to set. 4. In the policy's Properties dialog box, select Enabled to apply the policy, and then click OK. 39 Expanding the Console Tree to View Policies 40 The Properties Dialog Box for a Typical Policy 41 Disabling Unused Group Policy Settings If all Computer Configuration or User Configuration policies for a GPO are unconfigured and unused, you can disable them to speed up the startup and logon processes for computers affected by the GPO. 42 Disabling Unused Group Policy Settings (Cont.) To disable all Computer Configuration or User Configuration policies for a GPO: 1. Open the Group Policy snap-in for the GPO. 2. Right-click the root node of the console and select Properties to display the Properties dialog box. 3. In the General tab, select the Disable Computer Configuration settings check box or the Disable User Configuration settings check box. 4. Click OK. 43 The General Tab in a GPO Properties Dialog Box 44 Indicating GPO Processing Exceptions You can change the default GPO processing order by Modifying the order of GPOs for an object Specifying the Block Policy Inheritance option Specifying the No Override option Enabling the Loopback setting 45 Modifying the GPO Processing Order To modify the GPO processing order: 1. For a domain or OU, open Active Directory Users And Computers; for a site, open Active Directory Sites And Services. 2. Right-click the site, domain, or OU, and then select Properties. 3. Click the Group Policy tab. 4. In the Group Policy Object Links list, select a GPO and click Up or Down to change its place in the processing sequence. 46 Modifying the GPO Processing Order (Cont.) 47 Blocking Policy Inheritance To block policy inheritance: 1. For a domain or OU, open Active Directory Users 2. 3. 4. 5. And Computers; for a site, open Active Directory Sites And Services. Right-click the site, domain, or OU, and then select Properties. Click the Group Policy tab. Select the Block Policy Inheritance check box. (You cannot block GPOs that use the No Override option.) Click OK. 48 Using the No Override Option To use the No Override option: 1. For a domain or OU, open Active Directory Users 2. 3. 4. 5. 6. And Computers; for a site, open Active Directory Sites And Services. Right-click the site, domain, or OU, and then select Properties. Click the Group Policy tab. Select the GPO you want to modify, and then click Options. In the Options dialog box, select the No Override check box. Click OK. 49 The Options Dialog Box for a GPO 50 Enabling the Loopback Setting To enable the Loopback setting: 1. Open the Group Policy snap-in for the GPO. 2. In the console tree, expand Computer Configuration until the Group Policy folder is visible. 3. In the details pane, double-click User Group Policy Loopback Processing Mode. 4. Select Enabled. 5. Select one of the following modes from the Mode list: Replace: replaces the GPO list for the user with the GPO list already obtained for the computer at startup Merge: appends the GPO list obtained for the user at logon to the GPO list already obtained for the computer at startup 6. Click OK. 51 The Loopback Processing Mode Properties Dialog Box 52 Filtering GPO Scope Policies in a GPO apply only to users with the Read permission for that GPO. To filter the scope of a GPO, you can create security groups and then assign the Read permission to the selected groups. This prevents a policy from applying to a specific group by denying that group the Read permission to the GPO. 53 Filtering GPO Scope (Cont.) To filter the GPO scope: 1. Open the Group Policy snap-in for the GPO. 2. Right-click the root node of the console, and then select Properties. 3. Click the Security tab, and then select the security group that you want to filter this GPO through. 4. Set permissions for the group, and then click OK. 54 Linking a GPO to a Site, Domain, or OU By default, a new GPO is linked to the site, domain, or OU that was selected in the MMC when it was created. You can use the Group Policy tab in the Properties dialog box of the site, domain, or OU to link a GPO to additional sites, domains, or OUs. 55 The Add A Group Policy Object Link Dialog Box 56 Removing a GPO Link To remove a GPO link: 1. Open Active Directory Users And Computers or 2. 3. 4. 5. Active Directory Sites And Services, as appropriate. In the console tree, right-click the site, domain, or OU object that the GPO is to be unlinked from, and then select Properties. Click the Group Policy tab, select the GPO you want to unlink, and then click Delete. In the Delete dialog box, select Remove The Link From The List, and then click OK. Click Close. 57 Deleting a GPO To delete a GPO: 1. Open Active Directory Users And Computers or 2. 3. 4. 5. Active Directory Sites And Services, as appropriate. In the console tree, right-click the site, domain, or OU object that the GPO is to be deleted from, and then select Properties. Click the Group Policy tab, select the GPO you want to delete, and then click Delete. In the Delete dialog box, select Remove The Link And Delete The Group Policy Object Permanently, and then click OK. Click Close. 58 Group Policy Best Practices Disable unused parts of a GPO. Use the Block Policy Inheritance and No Override features sparingly. Minimize the number of GPOs. Filter policies based on security group membership. Use the Loopback setting only when necessary. Avoid cross-domain GPO assignments. 59 Lesson Summary To implement group policies, you must create a GPO and link it to an Active Directory object, such as site, domain, or OU. In the Properties dialog box of a GPO, you can link the GPO to an additional site, domain, or OU; delegate administrative control; disable unused policy settings; and filter the scope. To set group policies, expand the console tree in the Group Policy snap-in to locate the desired setting, open the Properties dialog box, and then select Enable or Disable. 60 Using Security Policies One of the primary functions of group policies is to implement security policies that protect network resources from unauthorized access. Many security-related policies are found in the Security Settings snap-in, which is in the Group Policy snap-in. 61 The Security Settings Item in a GPO 62 Account Policies Account policies apply to computers, and include Password Policy Account Lockout Policy Kerberos Policy Windows 2000 permits only one domain account policy—the account policy applied to the root of a domain. Exception: another account policy can be defined for an OU. 63 Password Policy Lets you control which passwords users select and how often they must change their passwords Password policies include Enforce Password History: specifies the number of previous passwords Windows 2000 remembers for each user Maximum Password Age: specifies the number of days until a password expires Minimum Password Age: specifies the number of days a user must keep a password before the user can change it Minimum Password Length: specifies the smallest number of characters a password can contain Passwords Must Meet Complexity Requirements Store Passwords Using Reversible Encryption For All Users In The Domain: modifies the encryption algorithm 64 Account Lockout Policy Locks a user account after a specified number of failed logon attempts Account policies include Account Lockout Duration: specifies the number of minutes a user account will remain locked Account Lockout Threshold: specifies the number of failed logon attempts that can occur before lockout Reset Account Lockout Counter After: specifies the number of minutes before the counter resets to zero 65 Kerberos Policy The Kerberos Policy contains the following policies: Enforce User Logon Restrictions Maximum Lifetime For Service Ticket Maximum Lifetime For User Ticket Maximum Lifetime For User Ticket Renewal Maximum Tolerance For Computer Clock Synchronization 66 Local Policies Pertain to the security settings on the computer used by an application or user Based on the computer you are logged on to and the rights you have on that particular computer Local Policies include: Audit Policy User Rights Assignment Security Options 67 Audit Policy An audit policy lets you select security events you want Windows 2000 to write to the security log for later display in Event Viewer. When you enable auditing for an event, you specify whether successful attempts, failed attempts, or both will be logged. Audit policies include: Audit Account Logon Events Audit Directory Service Access Audit Object Access 68 User Rights Assignment User rights grant a user the ability to perform specific tasks. Commonly used Windows 2000 User Rights Assignments: Add Workstations To Domain Back Up Files And Directories Log On Locally Manage Auditing And Security Log Restore Files And Directories Take Ownership Of Files Or Other Objects 69 Security Options Security Options policies enable or disable security settings for the computer that control elements such as The digital signing of data Administrator and Guest account names Floppy drive and CD-ROM drive access Driver installation Logon prompts 70 The Security Options Policies in a GPO 71 Event Log The Event Log security area contains Settings For Event Logs. You can set the following policies for each of the three default logs (application, security, and system): Maximum Log Size Restrict Guest Access To Log Retain Log Retention Method For Log 72 The Event Log Policies 73 Restricted Groups Use Restricted Groups to prevent users who have been added to a group temporarily from remaining in the group because of neglect. The users you add to Restricted Groups are the only users authorized to be permanent members of that group. If you add new members without adding them to this policy, the next time group policies are applied, those members are removed from the group. 74 The Restricted Groups Security Area 75 System Services The settings in this area specify whether a service should load automatically when Windows 2000 starts. Options for each service are Automatic: starts a service automatically at system startup Manual: starts a service only if manually started by an authorized user Disabled: disables a service so it cannot be started 76 Registry and File System Areas These areas let you use group policies to set access permissions for registry keys and file system elements, such as folders and files. You can edit the security properties of the registry key or file path to specify which user or group objects have permission to access the key or path, as well as to configure inheritance settings, auditing, and ownership permissions. 77 Public Key Policies Use to control and manage public key certificate settings by performing the following tasks: Specify that computers should submit a certificate request to a certification authority and install the issued certificate. Create and distribute a certificate trust list. Establish common trusted root certification authorities. Add encrypted data recovery agents and change the encrypted data recovery policy settings. 78 IP Security Policies on Active Directory Settings in this area configure computers on the network to use Internet Protocol Security (IPSec). You can use these policies to specify which types of Transmission Control Protocol/Internet Protocol (TCP/IP) traffic should use these IPSec communication modes: Client (Respond Only) Secure Server (Require Security) Server (Request Security) 79 Refreshing Policies Sometimes modifications made to security policies do not take effect immediately. To initiate policy propagation, you can Restart the computer Wait for automatic policy propagation to occur Use Secedit.exe to refresh the security settings Secedit /refreshpolicy machine_policy Secedit /refreshpolicy user_policy 80 Lesson Summary GPOs use the Security Settings snap-in to provide many security-related policies. Account policies let you control user password and logon behavior. Local policies let you configure auditing, user rights assignments, and other security options. Restricted Groups lets you enforce membership in user groups. 81 Troubleshooting Group Policy Problems You need to know the best practices and methods for solving problems that you might encounter relating to group policies. 82 Troubleshooting Group Policy Consider dependencies between components. When a problem appears in one component, check whether the components, services, and resources that it relies on are working properly. Event logs are useful for tracking down causes of dependency-caused problems. 83 Troubleshooting Tips You must have both the Read and Write permissions for the GPO in order to open it in the Group Policy snap-in. Services that group policies rely on include Active Directory and Domain Name System (DNS). Group policies also rely on the Windows 2000 networking components. 84 Troubleshooting Tips (Cont.) GPOs are not applied to security groups; group policy affects only users and computers contained in sites, domains, and OUs. When multiple GPOs apply, they are processed in this order: local GPO, site GPOs, domain GPOs, and OU GPOs. The settings in the last policy applied take precedence. 85 Troubleshooting Tips (Cont.) The No Override option takes precedence over the Block Policy Inheritance option. GPOs cannot be linked to Active Directory containers other than sites, domains, and OUs. Local GPOs are the weakest; any nonlocal GPO can overwrite them. 86 Lesson Summary When troubleshooting group policy problems, check the services that group policies rely on. To open a GPO in the Group Policy snap-in, a user needs both the Read and Write permissions. Security group memberships do not cause group policies to be applied to users—users receive group policies from the site, domain, or OU that a GPO is linked to. No Override takes precedence over Block Policy Inheritance. 87