Creating and managing Group Policy
Exam 70-410
Craig Zacker
Chapter 6
Group policies attach to container objects and affect the objects within the
container. GPOs are used to deploy a multitude of operating system settings to
computers within your network.
Creating Group Policy Objects (GPOs)
GPOs allow the following benefits:
 Centralized configuration of user, application, and desktop settings
 A method of redirecting a user’s data to a network share for easier backups.
 The ability to automate the security of all computers instead of individually.
Understanding Group Policy Objects
Local GPOs – Local GPO’s are supported by all Windows Operating Systems.
Changes made to the LGPOs only affect that one system. Local GPO settings are
fewer than domain GPO settings. LGPO’s are used normally in workgroups and on
kiosks.
Ex. 1
Ex. 2
Nonlocal GPOs – Non LGPOs are created in Active Directory and linked to sites,
domains, and OUs.
Starter GPOs – Starter GPOs are more or less templates used to create more
specific GPOs.
Configuring a Central Store
Administrative templates are used to create GPOs and now have a file extension of
ADMX. Administrative templates define what registry settings are altered when
the GPO is applied to a user object or computer object. Earlier Windows domains
created a copy of the ADM files for each GPO created and placed them in the
SYSVOL folder. This caused a lot of extra redundant storage and replication traffic
between peer domain controllers. When the ADMX file format came out the GPO
tools accessed them from a central store. The central store had only a single copy
of the ADMX files stored on the DCs. By default the Group Policy Management
Console stores the ADMX files in the C:\Windows\PolicyDefinitions folder. If you
want to create a central store you need to copy the entire PolicyDefinitions folder
to the C:\Windows\SYSVOL\sysvol\<Domain_Name>\Policies folder.
Using the Group Policy Management Console
The Group Policy Management Console is the tools used to manage all nonlocal
GPOs. This tool is automatically installed when you promote a server to a domain
controller.
Creating and linking nonlocal GPOs
The Group Policy Management Console is used to create and link a nonlocal GPO.
You can link a nonlocal GPO to the domain root, sites, and OUs.
You need to give the GPO a descriptive name before you can create it.
Using security filtering
GPOs have permissions like any object in a domain. These permissions determine
if a user will or will not be affected by the GPO’s settings. There are two ways to
filter GPOs:
 Scope tab when the GPO is selected. You can add the users, groups, and
computers you want the GPO to affect.
 Delegation tab > Advanced button. Add the user, group, or computer and
check the “Deny” Apply group policy.
 By default, regular user has the read and applies group policy permission
set to allow.
Managing starter GPOs
Starter GPOs allow you to create a common baseline configuration(s) and then
create normal GPOs off of the starter GPO. All GPOs created off the starter GPO
will have the same baseline configuration settings enabled but the administrator
can make other different changes to the normal GPOs. Starter GPOs are good if
you want common settings affecting different users, groups, and computers but
also additional different settings enabled. Starter GPOs do not have the full settings
of normal GPOs just user and computer Administrative Templates.
Create:
Name it:
Configure it:
Create normal GPOs off of the starter:
Configuring Group Policy settings
There are thousands of GPO settings that can be used to affect your user and
computer environment. GPOs consist of two sets of policy settings (User and
Computer) User configuration affect user accounts and computer configuration
affects the computer settings. Each of these two categories consists of three
sections:
 Software settings – Software settings are used to automate the deployment of
software over the network to users and computers. Software settings were
designed for small to medium size networks.
 Windows Settings – Windows settings are commonly security and script
related settings that affect users and computers.
 Administrative Templates – Administrative templates are used to customize
the users or computers working environment.
Each policy setting in a GPO can be set to the following three states:
 Not Configured – Not Configured is the default setting for majority of the
policy settings which does not modify or change the policy setting.
 Enabled – Enable turns the policy on
 Disabled – Disabled explicitly turns off the policy setting.
Configure security policies
Security related group policy settings are located in the Windows Settings portion
of the GPO.
Defining local policies
Local policies affect the local machine. Certain computer information has to be
viewed on each individual computer.
Planning and configuring an audit policy
Audit policies are settings that log system activity that occurs on the local machine.
There are several different audit policy settings and each one logs something
different. When an audit event occurs it is logged in the Event Viewer’s security
log.
You don’t turn on auditing on every single computer in the domain. You must
determine which computers (servers) you want to audit. The following guidelines
should be noted:
 Audit only pertinent items – Determine which important events you want to
audit.
 Archive security logs to provide a documented history - Audit logs should be
saved and then cleared after some time. Saving audit logs helps you keep a
history of events.
 Configure the size of your security logs carefully – You need to determine
the maximum size your security logs can grow. You can configure the log
file size manually or through group policy.
Some common audit policies that exist are:
 Audit Directory Services Access - This will log information about accessing
Active Directory objects.
 Audit Object Access –This will log access to folders, files, and printers.
Auditing user rights
Auditing user rights will log activities about user rights on the system.
Configuring security options
Auditing security options will log local security related event that occur on the
system.
Using security templates
Security templates are files you can export from your systems current security
setting and imported on other systems.
Importing security templates into GPOs
Once you create and customize a security template you can import it into your
GPOs. You need to edit the specific GPO and expand “Computer Configuration >
Polices > Windows Settings > Security Settings” Right click “Security Settings”
and choose “Import”.
To export your current local security settings into a template open the “Local
Security policy” snap-in or type secpol.msc at the run command. Right click the
Security settings and choose “Export” give it a name and save it.
Configuring local users and groups
Local users and groups only have power on the computer they were created on.
They are not used in domain environments. Local users and groups can be created
through “Control Panel” or “Computer Management”.
Using the User Accounts control panel
This method is for users who don’t know much about computer systems.
Using the Local Users and Groups snap-in
Local Users and Groups are accessed through “Computer Manager”.
The follow check boxes exist when creating a local or domain user account:
 User must change password at next logon- Forces the user when the user the
account for the first time to change the default password.
 User cannot change password – Stops user from changing the password.
 Password never expires – User can keep using the same password without
being forced to change it.
 Account is disabled – Stops the account from being used.
Understanding User Account Control (UAC)
Most users log onto a system with more administrative power then they actually
need to get their job done. Even the administrator should have a standard account
and only use the administrator account when needed. In most cases users logon to
the system as the administrator which is convenient. Microsoft uses a mechanism
called User Account Control to combat this issue.
Performing administrative tasks
When a user logs onto a system they are issued a token which determines what
they can or can’t do on the system. Standard users received standard tokens and
administrators received administrator tokens. Now the standard user still receives
the standard token but the administrator receives two tokens (one standard and one
administrative). By default the administrator uses the standard token most of the
time. When the administrator does something that requires elevated rights a
credential prompt appears requesting administrative credentials to complete the
request. After supplying the administrative credentials the program switches into
Admin Approval Mode.
Using secure desktop
Server 2012 uses an alternative called secure desktop instead of interactive
desktop. When Server 2012 issues an elevated prompt is switches to secure
desktop. Secure desktop will lock all other desktop controls and focus only on the
prompt interaction. This will stop malware from trying to elevate its level of
permissions on the system.
Configuring UAC
The four settings that can be used are:
 Always Notify Me
 Notify Me Only When Apps Try to Make Changes To My Computer
 Notify Me Only When Apps Try to Make Changes To My Computer (Do Not
Dim My Desktop)
 Never Notify Me
Configuring Application restriction policies
Application restriction is the ability to stop certain programs that the administrator
deems dangerous from being run on the system.
Using software restriction policies
To enable software restriction policies via group policy you would need to modify
the “Computer/User Configuration > Windows Settings > Security Settings”.
There are three rules that you can use prior to making any “Additional Rules”:
 Disallowed – Prevents all apps from running except the ones under
“Additonal Rules” set to “Allow”.
 Basic User – Stops applications from running that require administrative
rights.
 Unrestricted –Allow all apps to run except the ones under “Additional
Rules” set to “Disallowed”.
Additional rules are the exceptions to the defaults listed above. They fall under
four different ways you can allow or block apps from running.
 Hash Rule: A hash rule generates a math algorithm to the applicaton based
on wheather to allow or block. Hash rules don’t apply if the coding of the
app changes by updates.
 Certificate Rule – A certificate rule assigns a digital certificate to the
application and determines wheather to allow or block it.
 Path Rule – Path rules are based on the location of the executable. Path
rules become invalid if the application is moved to a different location.
 Network Zone Rule – Network Zone Rules are based on the web browser
settings. You can allow or deny the running of any application from the
Internet.
The process of rule order is:
Hash
Certificate
Network Zone
Path
If multiple rules are applied the Hash will win since it’s at the top of the priority
list. If two rules exist at the same level and have conflicting configuration, the
more restrictive wins.
Configuring software restriction properties
Enforcement Properties
Enforcement determines if the software restriction policy affects all files or
excludes .DLLs.
Designated File Types Properties
Determines what file types are considered executables. You can add files
extensions if you need to.
Trusted Publishers Properties
Allows the administrator to determine which certificates to trust or manage trusts.
Using AppLocker
AppLocker is a much easier way of creating software restriction policies the
former example. AppLocker is supported on Windows 7/Server2008 R2 and later.
AppLocker is located in the Computer Configuration\Windows Settings\Security
Settings\Application Control Policies\AppLocker.
Configure rule enforcement
Understanding rule types
AppLocker supports four different rule types:




Executable Rules – any file that ends with .exe or .com
Windows Installer Rules – any file that ends with .msi or .msp
Script Rules – any file that ends with .ps1, .bat, .cmd, .vbs, and .js
Packaged App Rules – any application purchased from the Windows store
The rules created can be allowed or blocked based on:
 Publisher – Applications that are code-signed by creator with a digital
signature.
 Path – Deals with the location of the application in the file systems.
 File Hash – Similar to software restriction hash rules. Associates a math
algorithm with the program which works even if the application is moved.
Creating default rules
By default AppLocker will block all executables, scripts, Installer packages, and
packaged apps when enabled unless they are specifically set to “Allow”.
Creating rules automatically
You can automatically create rules using the “Automatically Generate Rules
Wizard”. The wizard will let you specify a folder to be analyzed and the users and
groups in which the rules apply
Creating rules manually
When you create AppLocker rules manually you will be asked to supply the
following:




Action-Allow or Block
User or Group – Who rule affects
Conditions – Publisher, Path, or Hash rule to create
Exceptions – Exceptions to the rule.