Chapter Overview




Understanding Group Policies
Implementing Group Policies
Using Security Policies
Troubleshooting Group Policy Problems
1
Understanding Group Policies

Before attempting to implement group
policies, you need to be familiar with
concepts that affect group policy operations.






Definition of group policies
How to use the Group Policy snap-in
Group policy settings
How group policy affects startup and logon
How group policy settings are processed
How security settings can be used to filter group
policy
2
What Are Group Policies?



Group policies are collections of user and computer
configuration settings that you can link to computers,
sites, domains, and organizational units (OUs) to
specify the behavior of users' desktops.
To create a specific desktop configuration for a group
of users, you create group policy objects (GPOs),
which are collections of group policy settings.
GPOs can be local or nonlocal.


One local GPO is always stored on each computer running
Microsoft Windows 2000.
Nonlocal GPOs are linked to Active Directory objects (sites,
domains, and OUs), and can be applied to either users or
computers.
3
Using the Group Policy Snap-In


Use the Group Policy snap-in to create,
modify, and manage GPOs.
There are two primary methods to open
Group Policy:


Create a new Microsoft Management Console
(MMC) console and select Group Policy as a standalone snap-in.
Select an object in an Active Directory
management console, and access Group Policy as
an extension snap-in.
4
The Group Policy Snap-In
5
Opening the Local Group Policy
Snap-In


The local group policies are those stored on
each Windows 2000 computer.
To open the Group Policy snap-in with a focus
on local group policies:
1. Start a new MMC console.
2. Add the Group Policy stand-alone snap-in.
3. Select Local Computer in the Select Group
Policy Object dialog box.
6
The Add Standalone Snap-In Dialog
Box
7
The Select Group Policy Object
Dialog Box
8
Opening the Group Policy Snap-In for
Another Computer


You can open the local GPO for another
computer on the network if you have
administrative rights to that computer.
To open the Group Policy snap-in for another
computer:
1. Start a new MMC console.
2. Add the Group Policy stand-alone snap-in.
3. Browse and select another computer in the
Select Group Policy Object dialog box.
9
Opening the Group Policy Snap-In
from Active Directory Users And
Computers

To access the Group Policy snap-in by using
Active Directory Users and Computers:
1. Open Active Directory Users And Computers.
2. In the console tree, right-click the domain or OU
you want to set group policy for, and then select
Properties.
3. Click the Group Policy tab, select an entry, and
then click Edit.
10
Opening the Group Policy Snap-In
from Active Directory Sites And
Services

To access the Group Policy snap-in by using
Active Directory Sites And Services:
1. Open Active Directory Sites And Services.
2. In the console tree, right-click the site you want
to set group policy for, and then select
Properties.
3. Click the Group Policy tab, select an entry, and
then click Edit.
11
Group Policy Settings



Group policy settings define the desktop
environments for network users.
Group policy settings are contained in a GPO.
There are two types of group policy settings:


Use computer configuration settings to set group
policies for computers, regardless of who logs on
to them.
Use user configuration settings to set group
policies that apply to specific users, regardless of
which computer the user logs on to.
12
Software Settings Folder



In both Computer Configuration and User
Configuration, the Software Settings folder
contains only Software Installation settings,
by default.
Use Software Installation settings to specify
how applications are installed and
maintained.
Applications can be managed in one of two
modes: Assigned or Published.
13
Software Settings Folder (Cont.)
14
Windows Settings Folder



In both the Computer Configuration and User
Configuration folders, the Windows Settings
folder contains two items: Scripts and
Security Settings.
Use Scripts to specify startup/shutdown
scripts (for computers) and logon/logoff
scripts (for users).
Use Security Settings to manually configure
the security levels assigned to a GPO.
15
Windows Settings Folder (Cont.)
16
Windows Settings—User Configuration

For only the User Configuration folder,
Windows Settings also contains



Internet Explorer Maintenance: lets you administer
and customize Microsoft Internet Explorer
Remote Installation Services: controls the behavior
of remote operating system installations
Folder Redirection: lets you redirect Windows
2000 special folders to an alternate location
17
Administrative Templates Folder

For both Computer Configuration and User
Configuration, the Administrative Templates
folder contains all registry-based group policy
settings, including settings for



Windows Components
System
Network
18
Administrative Templates Folder
(Cont.)
19
Administrative Templates Policy
Settings


More than 450 policy settings are available
for configuring the user environment.
In the registry


Computer configurations are saved in
HKEY_LOCAL_MACHINE (HKLM)
User configurations are saved in
HKEY_CURRENT_USER (HKCU)
20
How Group Policy Affects Startup and
Logon

The sequence for Computer Configuration
and User Configuration settings when a
computer starts and a user logs on is as
follows:
1. The network starts.
2. The computer obtains an ordered list of GPOs.
3. The system processes the Computer
Configuration settings.
4. Startup scripts run.
5. The user presses CTRL+ALT+DELETE to log on.
21
How Group Policy Affects Startup and
Logon (Cont.)
6. After the user is authenticated, the computer
loads the user profile.
7. The computer obtains an ordered list of GPOs
for the user.
8. The system processes the User Configuration
settings.
9. The computer runs the logon scripts.
10. The operating system interface prescribed by
group policies appears.
22
How Group Policy Is Processed

Group policy settings are processed in the
following order:
1. Local GPO
2. Site GPOs
3. Domain GPOs
4. OU GPOs

The GPO that is processed last overrides
conflicting settings in all other GPOs that
were processed earlier.
23
Group Policy Processing Order
24
Exceptions to the Default Processing
Order




Workgroup Membership: a computer that is a
member of a workgroup processes only the local
GPO.
No Override: any GPO linked to a site, domain, or
OU can be set so that none of its policy settings
can be overridden.
Block Policy Inheritance: at any site, domain, or
OU, group policy inheritance can be selectively
marked as Block Policy Inheritance. However, No
Override settings cannot be blocked.
Loopback: used to circumvent the normal order
that GPOs are applied in.
25
Loopback Modes

Loopback can be set to Merge or Replace
mode.


Replace: the GPO list for the user is replaced by
the GPO list obtained for the computer at startup.
Merge: the GPO list obtained for the computer at
startup is appended to the GPO list obtained for
the user at logon.
26
Group Policy Inheritance






Group policies are typically passed down from parent to child
containers in the Active Directory service.
However, if you specify a group policy for a child container, the
child container's group policy settings override any conflicting
settings inherited from the parent container.
If a parent OU has policy settings that are not configured, the
child OU does not inherit them.
Policy settings that are disabled are inherited as disabled.
If a parent policy and a child policy are compatible, the child
inherits the parent policy, and the child's setting is also applied.
If a policy setting configured for a parent OU is incompatible
with the same policy setting configured for a child OU, the child
does not inherit the policy setting from the parent—instead, the
setting for the child is applied.
27
Using Security Groups to Filter Group
Policy


Because you can link more than one GPO to a
site, domain, or OU, you might need to link
GPOs associated with other directory objects.
By setting the appropriate permissions for
security groups, you can filter group policy to
influence only the computers and users you
specify.
28
Lesson Summary




Group policies are collections of user and
computer configuration settings that can be
linked to computers, sites, domains, and OUs
to specify the behavior of users' desktops.
The Group Policy snap-in is used to manage
group policies.
Windows 2000 applies GPOs in this order:
local GPO, site GPOs, domain GPOs, and OU
GPOs.
By default, Active Directory objects inherit
group policy settings from parent containers.
29
Implementing Group Policies

You may have to modify the group policies in
place on a network or create new GPOs.
30
Tasks for Implementing Group
Policies

You may need to perform numerous tasks to
implement group policies. A few of these
tasks are




Creating a GPO
Delegating administrative control of a GPO
Specifying group policy settings for a GPO
Indicating GPO processing exceptions
31
Creating a GPO


The first step in implementing a group policy
is creating a GPO.
You also need to determine the type of Active
Directory object you want to create a GPO
for.
32
Creating a GPO (Cont.)

To create a GPO:
1. For a GPO linked to a domain or an OU, open Active
Directory Users And Computers, or for a GPO linked
to a site, open Active Directory Sites And Services.
2. Right-click the site, domain, or OU object you want
to create a GPO for, and then select Properties.
3. Click the Group Policy tab.
4. Click New and type the name you want to assign to
the GPO.

By default, the new GPO is linked to the site, domain, or OU
that you selected, and the GPO settings apply to that site,
domain, or OU.
5. Click Close.
33
The Group Policy Tab
34
Creating a GPO Console


After you create a GPO, you can create a
custom MMC console containing the Group
Policy snap-in and focused on that particular
GPO.
To create a GPO console:
1. Start a new MMC console, and then add the
Group Policy stand-alone snap-in to it.
2. In the Select Group Policy Object dialog box,
browse and select the GPO on which you want
to focus.
35
Default GPO Permissions
Security Group
Default Permissions
Authenticated
Users
Read, Apply Group Policy, Special Permissions
Creator Owner
Special Permissions
Domain
Administrators
Read, Write, Create All Child Objects, Delete
All Child Objects, Special Permissions
Enterprise
Administrators
Read, Write, Create All Child Objects, Delete
All Child Objects, Special Permissions
SYSTEM
Read, Write, Create All Child Objects, Delete
All Child Objects, Special Permissions
36
Delegating Administrative Control of
a GPO

To delegate administrative control of a GPO:
1. Open the Group Policy snap-in for the GPO.
2. Right-click the root node of the console, and
then select Properties.
3. Click the Security tab.
4. Select a group and configure permissions to
either allow or deny administrative access to the
GPO. (Repeat this step as necessary.)
5. Click OK.
37
The Security Tab of a GPO Properties
Dialog Box
38
Specifying Group Policy Settings for a
GPO

To specify group policy settings:
1. Open the Group Policy snap-in for the GPO.
2. Expand the console tree until the policy you want
to set appears in the details pane.
3. In the details pane, double-click the policy you
want to set.
4. In the policy's Properties dialog box, select
Enabled to apply the policy, and then click OK.
39
Expanding the Console Tree to View
Policies
40
The Properties Dialog Box for a
Typical Policy
41
Disabling Unused Group Policy
Settings

If all Computer Configuration or User
Configuration policies for a GPO are
unconfigured and unused, you can disable
them to speed up the startup and logon
processes for computers affected by the GPO.
42
Disabling Unused Group Policy
Settings (Cont.)

To disable all Computer Configuration or User
Configuration policies for a GPO:
1. Open the Group Policy snap-in for the GPO.
2. Right-click the root node of the console and
select Properties to display the Properties dialog
box.
3. In the General tab, select the Disable Computer
Configuration settings check box or the Disable
User Configuration settings check box.
4. Click OK.
43
The General Tab in a GPO Properties
Dialog Box
44
Indicating GPO Processing Exceptions

You can change the default GPO processing
order by




Modifying the order of GPOs for an object
Specifying the Block Policy Inheritance option
Specifying the No Override option
Enabling the Loopback setting
45
Modifying the GPO Processing Order

To modify the GPO processing order:
1. For a domain or OU, open Active Directory Users
And Computers; for a site, open Active Directory
Sites And Services.
2. Right-click the site, domain, or OU, and then
select Properties.
3. Click the Group Policy tab.
4. In the Group Policy Object Links list, select a
GPO and click Up or Down to change its place in
the processing sequence.
46
Modifying the GPO Processing Order
(Cont.)
47
Blocking Policy Inheritance

To block policy inheritance:
1. For a domain or OU, open Active Directory Users
2.
3.
4.
5.
And Computers; for a site, open Active Directory
Sites And Services.
Right-click the site, domain, or OU, and then
select Properties.
Click the Group Policy tab.
Select the Block Policy Inheritance check
box. (You cannot block GPOs that use the No
Override option.)
Click OK.
48
Using the No Override Option

To use the No Override option:
1. For a domain or OU, open Active Directory Users
2.
3.
4.
5.
6.
And Computers; for a site, open Active Directory
Sites And Services.
Right-click the site, domain, or OU, and then
select Properties.
Click the Group Policy tab.
Select the GPO you want to modify, and then
click Options.
In the Options dialog box, select the No Override
check box.
Click OK.
49
The Options Dialog Box for a GPO
50
Enabling the Loopback Setting

To enable the Loopback setting:
1. Open the Group Policy snap-in for the GPO.
2. In the console tree, expand Computer
Configuration until the Group Policy folder is
visible.
3. In the details pane, double-click User Group
Policy Loopback Processing Mode.
4. Select Enabled.
5. Select one of the following modes from the Mode
list:


Replace: replaces the GPO list for the user with the GPO list
already obtained for the computer at startup
Merge: appends the GPO list obtained for the user at logon to
the GPO list already obtained for the computer at startup
6. Click OK.
51
The Loopback Processing Mode
Properties Dialog Box
52
Filtering GPO Scope



Policies in a GPO apply only to users with the
Read permission for that GPO.
To filter the scope of a GPO, you can create
security groups and then assign the Read
permission to the selected groups.
This prevents a policy from applying to a
specific group by denying that group the
Read permission to the GPO.
53
Filtering GPO Scope (Cont.)

To filter the GPO scope:
1. Open the Group Policy snap-in for the GPO.
2. Right-click the root node of the console, and then
select Properties.
3. Click the Security tab, and then select the
security group that you want to filter this GPO
through.
4. Set permissions for the group, and then click OK.
54
Linking a GPO to a Site, Domain,
or OU


By default, a new GPO is linked to the site,
domain, or OU that was selected in the MMC
when it was created.
You can use the Group Policy tab in the
Properties dialog box of the site, domain, or
OU to link a GPO to additional sites, domains,
or OUs.
55
The Add A Group Policy Object Link
Dialog Box
56
Removing a GPO Link

To remove a GPO link:
1. Open Active Directory Users And Computers or
2.
3.
4.
5.
Active Directory Sites And Services, as
appropriate.
In the console tree, right-click the site, domain,
or OU object that the GPO is to be unlinked from,
and then select Properties.
Click the Group Policy tab, select the GPO you
want to unlink, and then click Delete.
In the Delete dialog box, select Remove The Link
From The List, and then click OK.
Click Close.
57
Deleting a GPO

To delete a GPO:
1. Open Active Directory Users And Computers or
2.
3.
4.
5.
Active Directory Sites And Services, as
appropriate.
In the console tree, right-click the site, domain,
or OU object that the GPO is to be deleted from,
and then select Properties.
Click the Group Policy tab, select the GPO you
want to delete, and then click Delete.
In the Delete dialog box, select Remove The Link
And Delete The Group Policy Object
Permanently, and then click OK.
Click Close.
58
Group Policy Best Practices






Disable unused parts of a GPO.
Use the Block Policy Inheritance and No
Override features sparingly.
Minimize the number of GPOs.
Filter policies based on security group
membership.
Use the Loopback setting only when
necessary.
Avoid cross-domain GPO assignments.
59
Lesson Summary



To implement group policies, you must create a GPO
and link it to an Active Directory object, such as site,
domain, or OU.
In the Properties dialog box of a GPO, you can link
the GPO to an additional site, domain, or OU;
delegate administrative control; disable unused policy
settings; and filter the scope.
To set group policies, expand the console tree in the
Group Policy snap-in to locate the desired setting,
open the Properties dialog box, and then select
Enable or Disable.
60
Using Security Policies


One of the primary functions of group policies
is to implement security policies that protect
network resources from unauthorized access.
Many security-related policies are found in
the Security Settings snap-in, which is in the
Group Policy snap-in.
61
The Security Settings Item in a GPO
62
Account Policies

Account policies apply to computers, and
include




Password Policy
Account Lockout Policy
Kerberos Policy
Windows 2000 permits only one domain
account policy—the account policy applied to
the root of a domain.

Exception: another account policy can be defined
for an OU.
63
Password Policy


Lets you control which passwords users select and
how often they must change their passwords
Password policies include






Enforce Password History: specifies the number of previous
passwords Windows 2000 remembers for each user
Maximum Password Age: specifies the number of days until
a password expires
Minimum Password Age: specifies the number of days a user
must keep a password before the user can change it
Minimum Password Length: specifies the smallest number of
characters a password can contain
Passwords Must Meet Complexity Requirements
Store Passwords Using Reversible Encryption For All Users In
The Domain: modifies the encryption algorithm
64
Account Lockout Policy


Locks a user account after a specified number
of failed logon attempts
Account policies include



Account Lockout Duration: specifies the number of
minutes a user account will remain locked
Account Lockout Threshold: specifies the number
of failed logon attempts that can occur before
lockout
Reset Account Lockout Counter After: specifies the
number of minutes before the counter resets to
zero
65
Kerberos Policy

The Kerberos Policy contains the following
policies:





Enforce User Logon Restrictions
Maximum Lifetime For Service Ticket
Maximum Lifetime For User Ticket
Maximum Lifetime For User Ticket Renewal
Maximum Tolerance For Computer Clock
Synchronization
66
Local Policies



Pertain to the security settings on the
computer used by an application or user
Based on the computer you are logged on to
and the rights you have on that particular
computer
Local Policies include:



Audit Policy
User Rights Assignment
Security Options
67
Audit Policy



An audit policy lets you select security events
you want Windows 2000 to write to the
security log for later display in Event Viewer.
When you enable auditing for an event, you
specify whether successful attempts, failed
attempts, or both will be logged.
Audit policies include:



Audit Account Logon Events
Audit Directory Service Access
Audit Object Access
68
User Rights Assignment


User rights grant a user the ability to perform
specific tasks.
Commonly used Windows 2000 User Rights
Assignments:






Add Workstations To Domain
Back Up Files And Directories
Log On Locally
Manage Auditing And Security Log
Restore Files And Directories
Take Ownership Of Files Or Other Objects
69
Security Options

Security Options policies enable or disable
security settings for the computer that control
elements such as





The digital signing of data
Administrator and Guest account names
Floppy drive and CD-ROM drive access
Driver installation
Logon prompts
70
The Security Options Policies in a
GPO
71
Event Log


The Event Log security area contains Settings
For Event Logs.
You can set the following policies for each of
the three default logs (application, security,
and system):




Maximum Log Size
Restrict Guest Access To Log
Retain Log
Retention Method For Log
72
The Event Log Policies
73
Restricted Groups



Use Restricted Groups to prevent users who
have been added to a group temporarily from
remaining in the group because of neglect.
The users you add to Restricted Groups are
the only users authorized to be permanent
members of that group.
If you add new members without adding
them to this policy, the next time group
policies are applied, those members are
removed from the group.
74
The Restricted Groups Security Area
75
System Services


The settings in this area specify whether a
service should load automatically when
Windows 2000 starts.
Options for each service are



Automatic: starts a service automatically at
system startup
Manual: starts a service only if manually started
by an authorized user
Disabled: disables a service so it cannot be started
76
Registry and File System Areas


These areas let you use group policies to set
access permissions for registry keys and file
system elements, such as folders and files.
You can edit the security properties of the
registry key or file path to specify which user
or group objects have permission to access
the key or path, as well as to configure
inheritance settings, auditing, and ownership
permissions.
77
Public Key Policies

Use to control and manage public key
certificate settings by performing the
following tasks:




Specify that computers should submit a certificate
request to a certification authority and install the
issued certificate.
Create and distribute a certificate trust list.
Establish common trusted root certification
authorities.
Add encrypted data recovery agents and change
the encrypted data recovery policy settings.
78
IP Security Policies on Active
Directory


Settings in this area configure computers on
the network to use Internet Protocol Security
(IPSec).
You can use these policies to specify which
types of Transmission Control
Protocol/Internet Protocol (TCP/IP) traffic
should use these IPSec communication
modes:



Client (Respond Only)
Secure Server (Require Security)
Server (Request Security)
79
Refreshing Policies


Sometimes modifications made to security
policies do not take effect immediately.
To initiate policy propagation, you can



Restart the computer
Wait for automatic policy propagation to occur
Use Secedit.exe to refresh the security settings


Secedit /refreshpolicy machine_policy
Secedit /refreshpolicy user_policy
80
Lesson Summary




GPOs use the Security Settings snap-in to
provide many security-related policies.
Account policies let you control user password
and logon behavior.
Local policies let you configure auditing, user
rights assignments, and other security
options.
Restricted Groups lets you enforce
membership in user groups.
81
Troubleshooting Group Policy
Problems

You need to know the best practices and
methods for solving problems that you might
encounter relating to group policies.
82
Troubleshooting Group Policy



Consider dependencies between components.
When a problem appears in one component,
check whether the components, services, and
resources that it relies on are working
properly.
Event logs are useful for tracking down
causes of dependency-caused problems.
83
Troubleshooting Tips



You must have both the Read and Write
permissions for the GPO in order to open it in
the Group Policy snap-in.
Services that group policies rely on include
Active Directory and Domain Name System
(DNS).
Group policies also rely on the Windows 2000
networking components.
84
Troubleshooting Tips (Cont.)


GPOs are not applied to security groups;
group policy affects only users and computers
contained in sites, domains, and OUs.
When multiple GPOs apply, they are
processed in this order: local GPO, site GPOs,
domain GPOs, and OU GPOs. The settings in
the last policy applied take precedence.
85
Troubleshooting Tips (Cont.)



The No Override option takes precedence
over the Block Policy Inheritance option.
GPOs cannot be linked to Active Directory
containers other than sites, domains, and
OUs.
Local GPOs are the weakest; any nonlocal
GPO can overwrite them.
86
Lesson Summary




When troubleshooting group policy problems,
check the services that group policies rely on.
To open a GPO in the Group Policy snap-in, a
user needs both the Read and Write
permissions.
Security group memberships do not cause
group policies to be applied to users—users
receive group policies from the site, domain,
or OU that a GPO is linked to.
No Override takes precedence over Block
Policy Inheritance.
87