Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

Planning and Designing Group Policy, Part 1

advertisement 
84-02-06
DATA SECURITY MANAGEMENT
PLANNING AND DESIGNING
GROUP POLICY, PART 1
Melissa Yon
INSIDE
What Is Group Policy?; Software Settings; Windows Settings; Administrative Templates;
Requirements for Group Policy; Group Policy Infrastructure; Accessing Group Policy; Group Policy Hierarchy;
Delegating Group Policy; Group Policy Processing
INTRODUCTION
When Microsoft created Windows 2000, three of the goals were to:
1. lower the total cost of ownership
2. reduce the support administrators must provide
3. improve security features of the operating system
Windows 2000 meets all of these goals if Group Policy (GP) is designed
and implemented correctly.
This two-part series explains GP, how to implement it, and best practices. The present article explains:
•
•
•
•
•
•
•
what GP is
requirements of GP
features of GP
creating a GP
applying a GP
delegating control of a GP
GP processing
PAYOFF
The second article (84-02-07) discusses:
• migration of NT 4.0 System Policies to Group Policy
• using System Policies for downlevel clients
• Group Policy best practices
06/01
IDEA
For years, administrators have wanted the ability
to lock-down users’ desktops and set account
settings, such as password and account lockout
policies. These are some of the many things that
Group Policy can accomplish. Group Policy allows administrators to create a directory-based
policy that can be enforced to all, some, or none
of the client machines, users, and domain controllers. This article explains Group Policy, its requirements and features, creating a Group Policy,
applying a Group Policy, delegating control of a
Group Policy, and Group Policy processing. Part II
(84-02-06), in the next issue of Data Security
Management, discusses migration of NT 4.0
System Policies to Group Policy, using System
Policies for down-level clients, and Group Policy
best practices.
Auerbach Publications
© 2001 CRC Press LLC
DAT A S EC URI T Y MA NA GEMENT
WHAT IS GROUP POLICY?
For years, administrators have wanted the ability to lock-down users’
desktops and set account settings, such as password and account lockout
policies. These are some of the many things that Group Policy (GP) can
accomplish. GP allows administrators to create a directory-based policy
that can be enforced to all, some, or none of the client machines, users,
and domain controllers.
In NT 4.0, system policies were used to implement some of these settings. System policies, however, were not directory based and did not
have the granularity of Windows 2000 Group Policy.
Windows 2000 Group Policy configures computer and user settings to
the administrator’s preference. Group Policy contains major categories,
which are subdivided into additional categories. The following article
section discusses some of these major categories.
SOFTWARE SETTINGS
This category allows the administrator to specify software for a user or
computer. The software can be assigned or published. When applications are assigned, the shortcut of the application appears on the Start
menu and registry entries are added to the registry. When assigned to the
computer, the application is installed during machine start-up. When assigned to the user, the shortcut is displayed on the Start menu. Once the
user selects the application, it is installed.
If the administrator chooses to publish the software, the application is
not advertised or shown on the Start menu. The software is available to
the user; however, the user will need to go to the control panel to
Add/Remove programs to install the application.
The Software Settings category in Group Policy can also be used to
upgrade existing applications and to remove outdated ones.
WINDOWS SETTINGS
The Windows Settings category contains several different sub-categories.
The computer and the user categories differ slightly. The computer subcategories are Scripts and Security. The user sub-categories are Internet
Explorer Maintenance, Scripts, and Security.
Scripts
If configured under the computer settings, scripts automate certain tasks
at start-up and shutdown. If configured under user settings, scripts will
execute at logon and logoff. Scripts can be programmed using PERL, Visual Basic, VB Script, or MS-DOS batch files.
Security Settings
The Security Settings can be defined for the computer or user. Security
Settings configure different settings such as:
P LANNING AND DES I GNI NG GROUP P OL I C Y , P A RT 1
• Account Policies:
– Password and Account Lockout Policies
• Local Policies:
– Configure Audit and User Rights Policies
– Configure detailed Security Options
• PKI Policies:
– Recovery Agents for certificates
– Trusted Root Certificates
– Certificate Requests
• IPSec Policies:
– Event Log
– Restricted Groups
– System Services, Registry
– File Systems
ADMINISTRATIVE TEMPLATES
The Administrative Templates category gives the administrator access to
lock-down the user’s desktop.
Windows Components
Under Windows Components, the administrator can:
• disable NetMeeting
• set Internet Explorer options and preferences under Internet Explorer
• set Windows Explorer options, such as “Remove map network
drive,” “No Computers Near Me in My Network Places,” “Hide Hardware Tab,” and others
• set the Microsoft Management Console (MMC) to prevent users from
entering Author Mode
• with Task Scheduler:
– hide the Task Scheduler Property Pages
– disable New Task Creation
– disable Task Deletion
• configure the Windows Installer settings under Window Components
Network Options
Under the Network Options category, an administrator can:
• configure Offline Folders for the users, so they will have access to the
files saved to their network share
• prevent the use of Offline Folders
• configure the Network and Dial-up options
• give/deny access to users
DAT A S EC URI T Y MA NA GEMENT
It is so granular that some options may be available to users while others
are not. The Network Options settings can be specified under the computer or user configuration.
System Settings
The Administrative Templates includes System Settings under the computer and user configurations. Some of the configurable settings are
found under Logon/Logoff.
An Administrator can:
•
•
•
•
disable Lock Computer
disable Change Password
disable Logoff (along with several other settings)
set Group Policy options such as:
– Group Policy Refresh
– Group Policy Slow Link
– Group Policy Domain Controller Selection
• configure Logon settings, such as how the logon script will run
• enable Disk Quotas
• configure a DNS suffix for a client
User Configuration: Start Menu and Taskbar Options
The Administrative Template also includes a Start menu and Taskbar Options section under the user configuration. Some of those options are:
•
•
•
•
•
•
remove Common Groups from Start menu
remove Search menu from Start menu
remove Help from Start menu
remove Run from Start menu
add Logoff to Start menu
disable Logoff on Start menu
User Configuration: Desktop
Another user configuration category is the Desktop category, which allows an administrator to hide all icons from the desktop. Also, the administrator can configure the Active Desktop and Active Directory (AD)
settings.
User Configuration: Control Panel
The Control Panel category found under User Configuration allows an
administrator to Hide Control Panel. Other options that are useful include
limiting the access to the Add/Remove Programs, Display Icon, Printers
Icon, and Regional Options.
PLANNING AND DESIGNING GROUP POLICY, PART 1
This is a brief overview of some of the settings found in Group Policy.
Each category has many configurable settings. As an administrator, it is
important to be aware of the Group Policy features and how to implement them.
REQUIREMENTS FOR GROUP POLICY
Group Policy is stored in Active Directory; therefore, there are certain requirements that must be met before Group Policy can be implemented.
Because it requires Active Directory, a Domain Controller must be installed. One must have read and access permissions to the system folder
(which is the SYSVOL folder), and one must also have modify rights to
the directory container where the Group Policy will be implemented.
If one does not have a Domain Controller installed, one can implement
a Local Policy on a specific machine. However, this is not a good idea if
one has many machines because each machine will have to be configured
separately, and one is limited to the settings one can configure. Because
the total cost of ownership to implement Local Policy is much greater than
implementing Group Policy, Local Policy is not recommended.
GROUP POLICY INFRASTRUCTURE
Group Policy is stored in Active Directory (AD) as a Group Policy Object
(GPO). Because one Group Policy may not meet all of one’s needs, there
might be multiple Group Policy Objects. The GPO is actually stored on
the Domain Controllers in the domain in which the GPO was created.
The GPO is then linked to a portion of the AD. Once it is linked to a portion of AD, the users or computers in AD will process that Group Policy.
It is not necessary to create multiple Group Policies for the same settings. The same Group Policy can be applied to different areas in AD. Also, the Group Policy will only be processed for the portion of AD to
which it is linked.
ACCESSING GROUP POLICY
Exhibit 1 shows the actual MMC (Microsoft Management Console) screen
where the Default Group Policy is loaded. One can access the MMC and
the Default Group Policy snap-in by taking the following steps:
1.
2.
3.
4.
5.
6.
7.
Click Start>Run.
Type mmc.
Press Enter.
Click Console>Add/Remove Snap-In.
Click Add.
Click Group Policy.
Click Browse.
DAT A S EC URI T Y MA NA GEMENT
EXHIBIT 1 — Accessing the Default Group Policy
8.
9.
10.
11.
12.
Click Default Domain Policy.
Click OK.
Click Finish.
Click Close.
Expand Group Policy.
Linking Group Policy
Group Policy is different from NT 4.0 System Policies in that one does
not link a Group Policy to a Security Group. Group Policies can only be
linked to sites, domains, and organizational units (OUs). The Group Policy can be applied to many users and computers or to few users and
PLANNING AND DESIGNING GROUP POLICY, PART 1
computers. A GPO linked to a site will apply to all users and computers
in that site. A GPO linked to a domain will apply to all users and computers in a domain. Likewise, a GPO linked to an OU will apply to all
users and computers in the OU.
To link a GPO to a site, one must start the MMC and open the AD Sites
and Services Snap-In. The steps are as follows:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Click Start>Run.
Type mmc.
Press Enter.
Click Console>Add/Remove Snap-In.
Click Add.
Click AD Sites and Services.
Click OK.
Click Finish.
Click Close.
Expand the AD Sites and Services Snap-In.
Right-click the site to which the GPO is being linked.
Click Properties.
Click the Group Policy tab.
Click Add.
Click the GPO.
Click OK.
Exhibit 2 displays the Group Policy Properties screen. Notice that one
can also select New to create a new GPO, select Add to link a GPO, select Edit to edit the selected GPO, or select Delete to break the link of
the GPO to the site, domain, or OU.
If it is necessary to link a GPO to the domain or OU, one must add
another snap-in. The steps are as follows:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
Click Start>Run.
Type mmc.
Press Enter.
Click Console>Add/Remove Snap-In.
Click Add.
Click AD Users and Computers.
Click OK.
Click Finish.
Click Close.
Expand the AD Users and Computers Snap-In.
Right-click the domain or OU to which the GPO is being linked.
Click Properties.
Click the Group Policy tab.
Click Add.
DAT A S EC URI T Y MA NA GEMENT
EXHIBIT 2 — Group Policy Properties Screen
15. Click the GPO.
16. Click OK.
One notices that the Group Policy Properties screen is exactly the same
as the Site Group Policy Properties screen.
GROUP POLICY HIERARCHY
Group Policy is inherited and cumulative. This means that if User Group
Policies are implemented and there are Policies linked to the site, domain, and OUs, all Group Policies apply. If two Group Policies have the
same setting configured, then the setting in the last Group Policy that is
processed will overwrite the setting in the previous Group Policy.
Group Policy hierarchy is processed in the following order:
PLANNING AND DESIGNING GROUP POLICY, PART 1
1. The Local Policy is applied.
2. The GPOs linked to the site are applied.
3. The GPOs linked to the domain (the user or computer is a member)
are applied.
4. The GPOs linked to the OU are applied.
5. Finally, the GPOs linked to the Child OUs are applied.
Finally, if there is more than one GPO linked at the site, domain, or
OU level, the GPO at the top of the list has the highest priority. To look
at it another way, the linked GPOs are processed from the bottom up in
the Group Policy Properties screen.
No Override and Block Inheritance
Microsoft has provided a way for the administrator to override the way
Group Policy is enforced. An administrator can use the “No Override” or
the “Block Inheritance” features.
When the “No Override” option is enabled on a particular GPO, the
settings for that GPO cannot be overwritten by a Group Policy setting
processed later. For example, if the GPO linked to the domain is set to
“No Override,” then the GPO linked to the OU cannot overwrite any settings set at the domain level.
The “Block Inheritance” feature allows the administrator to block settings applied at higher levels. If “Block Inheritance” is checked at the
OU level, no GPO settings that are linked at the site or domain level will
apply, provided the “No Override” has not been selected at the site or
domain level. One cannot use “Block Inheritance” to block a “No Override” GPO.
The “No Override” is selected by clicking options in the Group Policy
Properties screen and selecting “No Override.” The “Block Inheritance” is
selected by clicking the “Block Inheritance” checkbox on the Group Policy Properties screen. Exhibits 3 and 4 show how Group Policy is applied.
Filtering the Group Policy Object
GPOs linked to sites, domains, and OUs are applied to all users and computers in the site, domain, or OU. This is a cause for concern because
one might want to exclude some users and computers from the GPO.
This can be done using Security Groups to filter the GPO.
In the GPO Properties screen, click Properties and click on the Security tab. (To get to the GPO Properties screen, right-click the site, domain,
or OU. Click Properties, click on Group Policy tab [see Exhibit 5].)
Notice that the “Authenticated Users” have “Read and Apply Group
Policy” control. In other words, all authenticated users in the domain or
OU will process and apply this Group Policy — even administrators. To
filter who or what receives this GPO, one must remove the Authenticated
DAT A S EC URI T Y MA NA GEMENT
EXHIBIT 3 — Cumulative Group Policy with No Overrides at the Domain
Level
NA Domain Policy
1. No Run on Start Menu
2. Add Logoff to the Start Menu
na.train.com
Domain GP
Southeast OU Policy
1. Hide all icons on the Desktop
2. Disable Control Panel
Southeast
OU GP
Sales OU Group Policy
1. Disable Command Prompt
2. Enable Run on Start Menu
Sales
OU GP
1.
2.
3.
4.
5.
Cumulative Group Policy
Enable Run on the Start Menu
Add Logoff to the Start Menu
Hide all icons on the Desktop
Disable Control Panel
Disable Command Prompt
Users “Allow” on “Apply Group Policy.” It is also a good idea to remove
the “Read” access. If the “Apply Group Policy” is removed but the “Read”
access is still there, then all authenticated users will still process the
Group Policy. However, they will not apply the Group Policy. To increase performance, uncheck the “Allow” box for “Read” and “Apply
Group Policy” for “Authenticated Users.”
Once access from authenticated users has been removed, one can then
add Security Groups, Users, or Computers and specify “Read” and “Apply
Group Policy” access. One must give “Read” access if one wants it to apply the Group Policy. If one does not give the “Read” and “Apply Group
Policy” access to anyone, then the GPO will not be processed and applied.
The following steps will add a user, computer, or security group.
1.
2.
3.
4.
5.
6.
7.
Click Add from the Security screen.
Click the user, computer, or security group.
Click OK.
Select the user, computer, or security group.
Click to check the Allow box for Read.
Click to check the Allow box for Apply Group Policy.
Click Apply.
P LANNING AND DES I GNI NG GROUP P OL I C Y , P A RT 1
EXHIBIT 4 — Cumulative Group Policy with Block Inheritance at the OU
Level
Americas Site Policy
1. Remove Search from the Start Menu
2. Remove "Map Network Drive" and
"Disconnect Network Drive"
Americas Site
Site GPO
SA Domain Policy
1. Enable Control Panel and set No Override
2. Disable Logoff to Start Menu and set to
No Override
sa.train.com
Domain GP
NA Domain Policy
1. No Run on Start Menu
2. Add Logoff to the Start Menu
na.train.com
Domain GP
Southeast
OU GP
Southeast OU Policy
1. Hide all icons on the Desktop
2. Disable Control Panel
3. Enable "Map Network Drive" and
"Disconnect Network Drive" and
set Block Inheritance
Sales OU Group Policy
1. Disable Command Prompt
2. Enable Run on Start Menu
Sales
OU GP
1.
2.
3.
4.
5.
6.
7.
Cumulative Group Policy
Remove Search from the Start Menu
Add "Map Network Drive" and "Disconnect
Network Drive
Enable Run on the Start Menu
Add Logoff to the Start Menu
Hide all icons on the Desktop
Disable Control Panel
Disable Command Prompt
The SA Domain Policy does not apply here since the user is in the NA domain.
DELEGATING GROUP POLICY
Many companies have an administration team that is dispersed. That is,
they have one administrator for desktop security, one administrator for
accounts, one administrator for network security, or the administration
may be given to the respective departments for their OU. If this is the
case, one can design AD so that an administrator can only link GPOs to
certain sites, domains, or OUs, and only edit already-created GPOs or
create GPOs, but not edit GPOs already created by other administrators.
This is called “Delegating Group Policy.”
One can delegate the following:
• manage group policies for site, domain, OU
• edit Group Policy objects
DAT A S EC URI T Y MA NA GEMENT
EXHIBIT 5 — The GPO Properties Screen
• create Group Policy objects
• Group Policy to control MMC consoles
Administrators, by default, have all of these rights.
Allowing a Non-Administrator to Manage an OU
The following steps will allow a user or group of users to link existing
GPOs to the OU. In the MMC, using AD Users and Computers:
1.
2.
3.
4.
5.
Right-click the OU.
Click Delegate Control.
Click Next.
Click Add.
Select the user(s) or groups.
P LANNING AND DES I GNI NG GROUP P OL I C Y , P A RT 1
6.
7.
8.
9.
10.
11.
Click
Click
Click
Click
Click
Click
Add.
OK.
Next.
Manage Group Policy Links.
Next.
Finish.
Editing Group Policy Objects
In the MMC using Group Policy Snap-In:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Choose the Group Policy allowed to be edited.
Right-click the root of the group policy.
Click Properties.
Click the Security tab.
Click Add.
Select the user or group of users.
Click Add.
Click OK.
If the users will not have the GPO applied to them, make sure that
the Apply Group Policy is NOT allowed.
10. Check Read and Write.
11. Click OK.
Creating Group Policy Objects
The following steps allow a user to create a new GPO. In the MMC using
AD Users and Computers:
1.
2.
3.
4.
5.
6.
Double-click the user.
Click the Member Of tab.
Click Add.
Select Group Policy Creator Owners.
Click Add.
Click OK twice.
Controlling MMC Consoles
Controlling MMC consoles is implemented in several ways. The GPO is
actually used to set and limit many of these rights. For example, many of
these settings are found under User Configuration, Administrative Templates, Windows Components, and Microsoft Management Console.
GROUP POLICY PROCESSING
As previously stated, the Group Policy objects are processed in a hierarchal manner. The Local Policy is processed first and the OU that the com-
DATA SECURITY MANAGEMENT
EXHIBIT 6 — Cumulative Group Policy with Multiple GPOs
NA Domain Policy
NA GPO
1. No Run on Start Menu
2. Add Logoff to the Start Menu
na.train.com
Domain GP
Southeast
OU GP
Southeast OU Policy
Southeast GPO1
(Appears at Top of GPO List)
1. Hide all icons on the Desktop - Block
Inheritance
2. Disable Control Panel
Sales OU Group Policy
1. Disable Command Prompt
2. Enable Run on Start Menu
Sales
OU GP
Cumulative Group Policy
Enable Run on the Start Menu
Add Logoff to the Start Menu
Enable Control Panel
Remove Favorites from the
Start Menu
5. Hide all Icons on the Desktop
6. Disable Command Prompt
1.
2.
3.
4.
puter and user is a member of processes its Group Policy last. Therefore,
the order is as follows:
•
•
•
•
Local Policy
Site Policy
Domain Policy
OU Policy
Of course, if there are nested OUs, each OU will apply its policy. If
there are multiple Group Policies (see Exhibit 6) in any container, the
Policies will be applied from bottom to top in the list. The only time this
order will change is if filtering is applied so that the policy is not applied
for that user, if “No Override” has been enabled, or if “Block Inheritance”
has been marked.
The Computer Configuration Policies are processed at computer startup. Once the computer starts up, the computer will apply all the Computer Configuration Group Policies. The User Configuration Policies are
applied once the user presses CTRL+ALT+DEL. By default, the desktop
will not load until all User Policies are processed. The more policies one
processes, the longer it takes for the desktop to appear.
P LANNING AND DES I GNI NG GROUP P OL I C Y , P A RT 1
Once the user is logged on, the Group Policy, by default, will refresh
every 90 minutes on client machines and every five minutes on domain
controllers. These settings can be configured in Group Policy.
The Policy can also be forced from the command line on the client
machine. One cannot, however, force a refresh on the client from the
server. The command-line command for the client is:
secedit /refreshpolicy {machine_policy | user_policy}[/enforce]
Some of the Group Policy settings are not refreshed. These settings include Software settings and Folder Redirection settings.
Other considerations for Group Policy processing are slow links.
Group Policy will detect and determine if there is a slow link by pinging
the server and measuring the time. If Group Policy determines it is a slow
link, then the configuration set in Group Policy will determine if the policy is loaded.
By now one should be more familiar with Group Policies and how to
create a Group Policy. One should be able to create a Group Policy, link
it to a site, domain, or OU. One should also be able to delegate control
of the OU to a user(s). This is a very good starting point for implementing Group Policy. However, some issues still exist. For example, will
one’s NT 4.0 System Policies migrate to Windows 2000? How can one
create System Policies for down-level clients? Finally, one may know
how to create Group Policy, but what are the best practices for creating
Group Policy? All these issues are discussed in the next Group Policy article (84-02-07).
Melissa Yon, MCSE, MCT, MCP+I, CTT, is currently a technical trainer for Lucent Technologies Worldwide Services. She has nine years of experience in designing and implementing desktop, server, and enterprise solutions
and conducting training. In the last two years, she has designed training materials and delivered training and solutions for Lucent Technologies.
Related documents
GPO Training Program Application
GPO Training Program Application
Group Policy Class Notes
Group Policy Class Notes
Group Policy
Group Policy
Group Policies
Group Policies
applicant details - BC Cancer Agency
applicant details - BC Cancer Agency
The 1916 Easter Rising
The 1916 Easter Rising
1.) Go to: http://www.mypyramid.gov/ 2.) Click on : My Pyramid Menu
1.) Go to: http://www.mypyramid.gov/ 2.) Click on : My Pyramid Menu
Adding a language to the Windows Language Bar
Adding a language to the Windows Language Bar
Group Purchasing Organization Overview
Group Purchasing Organization Overview
Download
advertisement