8/22/13 Group Policy Objects (GPOs) and Industry Control Systems: Understanding, Identifying, and Troubleshooting Tech Note 649 Group Policy Objects (GPOs) and Industry Control Systems: Understanding, Identifying, and Troubleshooting All Tech Notes, Tech Alerts and KBC D documents and software are provided "as is" without warranty of any kind. See the Terms of Use for more information. Topic#: 002413 OpsManage09 Session#: TS115 C reated: November 2009 Introduction In many companies Industry Control Systems (ICSs) are increasingly integrated with the customers' business networks. This integration provides several benefits, such as reducing TCO, better IT manageability, adherance to corporate standards, MES integration etc. Wonderware software is often installed and used within Active Directory (AD) environments. This Tech Note provides guidelines and recommendations in order to better understand factors that can affect the functioning of Wonderware software. Specifically, this Tech Note explains how Group Policy Objects (GPOs) can impact the ICS computers. GPOs are used to enforce "rules of use" on all computers within the domain controlled by the Active Directory. In any AD environment, the Default Domain Policy impacts all objects in that domain. In addition to the Default Domain Policy, other GPOs can exist under the Default Domain Policy, and they can also affect any or all objects in the Active Directory. Whenever an ICS computer is both part of a System Platform and an Active Directory, you must pay special attention to the user rights assignment settings for the ArchestrA User that has been configured via the Change Network Account (aaAdminUser) utility. In this context, this user must: Be present on all ICS computers (platforms). Have the same password. Be part of the Local Administrators security group. These requirements will ensure that all installed software (E.g. AABootstrap, AAEngine, AAIDE, etc) functions properly and that all operations such as open the ArchestrA IDE, deploy/undeploy inter-platform communications, and so on works as expected. Access Denied errors or similar messages can sometimes appear on the ICS computers, even if everything has been configured properly. The following section identifies the tools that are normally used for GPO management and troubleshooting. Suggested GPO Management Tools Identifying and assessing potential impacts of the GPO settings on the ICS computers can be done by using Microsoft® tools for managing Group Policy Objects. For the scope of this document three of them are considered: Group Policy Management Console (GPMC) Group Policy Results (GPResult) Resultant Set of Policies (RSoP) Group Policy Management Console (GPMC) The GPMC is the most powerful tool for creating/planning GPOs and requires the .NET Framework 1.1 to be installed on the computer. The GPMC allows enumerating which GPOs are in the domain, and their settings. It also allows you to save detailed information to an HTML file that can be really useful for integration with the system's documentation. Note: This Tech Note does not cover all GPMC features. For more information please refer to Microsoft documentation. Please check with the customers IT department to confirm you have sufficient rights to utilize the GPMC console. Figure 1 (below) shows an example of how the GPMC can show the settings configured in a GPO. https://wdnresource.wonderware.com/support/kbcd/html/1/t002413.htm 1/6 8/22/13 Group Policy Objects (GPOs) and Industry Control Systems: Understanding, Identifying, and Troubleshooting F IGURE 1: GPMC EDITOR C ONSOLE Group Policy Results (GPResult) GPResult.exe is a command-line utility that can be used against any computer to rapidly gather which policies are in effect for a specific user or computer. The following matrix lists the available command line switches for the GPResult tool. Parameters /s Computer /u Domain\User Function Specifies the name or IP address of a remote computer (Do not use backslashes). The default is the local computer. Runs the command with the account permissions of the user that is specified by User or Domain\User. The default is the permissions of the current logged-on user on the computer that issues the command. Specifies the password of the user account that is specified in the /u parameter. /p Password /user Specifies the user name of the user whose RSOP data is to be displayed. TargetUserName /scope Displays either user or computer results. Valid values for the /scope parameter are user or computer. {user|computer} If you omit the /scope parameter, gpresult displays both user and computer settings. /v /z /? Specifies that the output display verbose policy information. Specifies that the output display all available information about Group Policy. Because this parameter produces more information than the /v parameter, redirect output to a text file when you use this parameter (for example, gpresult /z >policy.txt). Displays help at the command prompt. In order to get the gathered data in a more readable format, you can output the results of the GPResult command to a text file that can then be used for analysis. For example GPRESULT.EXE >C:\GPRESULTS.TXT. Figure 2 (below) shows an example of the information that is saved to a text file output. https://wdnresource.wonderware.com/support/kbcd/html/1/t002413.htm 2/6 8/22/13 Group Policy Objects (GPOs) and Industry Control Systems: Understanding, Identifying, and Troubleshooting F IGURE 2: .TXT F ILE OUTPUT FOR GPRESULT TOOL Resultant Set of Policies (RSoP) The RSoP generates the results of the GPOs that are in place into the AD Domain and quickly shows which settings are effectively in place in the system. The RSoP console is not directly available on the computers but it can easily be show with the following procedure. 1. Click Start/Run, and type MMC. 2. Press the ENTER key. 3. Click File/Add-Remove Snap-in (Figure 3 below). F IGURE 3: ADD/REMOVE SNAP- IN AT THE MMC C ONSOLE ROOT https://wdnresource.wonderware.com/support/kbcd/html/1/t002413.htm 3/6 8/22/13 Group Policy Objects (GPOs) and Industry Control Systems: Understanding, Identifying, and Troubleshooting 4. Click Add and choose Resultant Set Of Policy (Figure 4 below). F IGURE 4: ADD RESULTANT SET OF POLICY SNAP- IN 5. Click Add, then Close, then OK. 6. Once the snap-in is ready, right-click it, and click Generate RSoP data. F IGURE 5: GENERATE RSOP DATA F ROM SNAP-IN 7. Follow the steps according to the information you would like to collect. For example, you need settings for current logged on user or any other user. Figure 6 (below) shows the filter results for the Password policy. https://wdnresource.wonderware.com/support/kbcd/html/1/t002413.htm 4/6 8/22/13 Group Policy Objects (GPOs) and Industry Control Systems: Understanding, Identifying, and Troubleshooting F IGURE 6: RSOP PASSWORD POLICY OBJECTS The only limit with the RSoP is that all settings will be displayed in the MMC Console, even if they are not configured. Finding the configured settings can be trickier. Excluding GPO on Specified Computers Given that the GPOs in an Active Directory affect all computers if not specified differently, you must be sure that the basic requirements of Wonderware software are not overridden by GPOs. In an Active Directory, GPOs are cascaded down the tree. This means that if you do not specify differently, the settings are applied to all objects in the AD wherever they can be applied. For example, a printer cannot be affected by the Password must meet complexity settings so the settings are not applied in this case. In order to prevent damaging Group Policy settings to be enforced for Wonderware Software, such as users must change password every X days, etc., you must prevent these unwanted settings to be enforced on the computers where Wonderware software is installed. If security policies don't allow modifications at the top level, such as configuring the minimum password length, or max days when a password has to expire, etc., there are other ways to prevent a GPO to be applied to given objects or containers. There are at least two ways to prevent that GPOs cascading from the AD and affecting Wonderware software: 1. Prevent the settings to be applied to the computers where Wonderware software is running. 2. Override the GPO settings with per-case GPOs. In the first case your IT Administrator(s) can exclude the application of the GPOs to specific computers by creating a WMI Filter (Windows Management Instrumentation), or by placing the computers and users that need to be excluded in a separate Organizational Unit or Group. The IT Administrator can set the GPO to not apply to this OU/Group. In the second case the IT Administrator can create an additional GPO that is set to apply only to the objects in a specific OU/Group/WMI Filter. Here is an example of a WMI filter that does not apply the GPO to computers named COMP1 and COMP2: SELECT * FROM Win32_ComputerSystem WHERE Name <> "comp1" or Name <> "comp2" Click the following icon to view this file in .pdf format: A. Panzetta Tech Notes are published occasionally by Wonderware Technical Support. Publisher: Invensys Systems, Inc., 26561 Rancho Parkway South, Lake Forest, C A 92630. There is also technical information on our software products at Wonderware Technical Support. For technical support questions, send an e-mail to support@wonderware.com. https://wdnresource.wonderware.com/support/kbcd/html/1/t002413.htm 5/6 8/22/13 Group Policy Objects (GPOs) and Industry Control Systems: Understanding, Identifying, and Troubleshooting Back to top ©2013 Invensys Systems, Inc. All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, broadcasting, or by anyinformation storage and retrieval system, without permission in writing from Invensys Systems, Inc. Terms of Use. https://wdnresource.wonderware.com/support/kbcd/html/1/t002413.htm 6/6