COMP3122 SESSION 5: CONTROLLING LOCAL AND
DOMAIN SECURITY WITH GROUP POLICY TEMPLATES
As with previous exercises, we will use Windows 2003 as the exemplar.
Other equivalent “group policy” systems exist with other network operating
systems.
The order of application of Windows 2003 policies is…
1. the local policy.
2. site level policies (if they exist…) in the administratively specified order.
3. domain level group policies, again in the specified order.
4. group policies associated with the organizational units. If a single
organizational unit contains multiple group policies, the policies are applied in an
administratively specified order.
First, we can look at local policies on a machine using Microsoft Management
Console (MMC)
MMC does not itself perform Windows 2003 administrative functions, but it does
host many “snap-in” tools that do, by means of “console” files.
It can be used in:
user mode, working with existing MMC consoles to administer a system
author mode, creating new consoles or modifying existing MMC consoles.
In this exercise, as local administrator, you will be able to “author” consoles on
the local machine.
Exercise 5(a): Starting up MMC & Installing the “Security
Configuration and Analysis” and “Security Templates” Snap-ins
MMC provides a wizard for accessing the various snap ins which controlling
Windows registry settings, including Security features. It also provides access to
templates for configuring/controlling all aspects of machine security policy and
group security policy
1
1. MMC could be accessed from the desktop; in this case, we will use the
command line. Type MMC and press ENTER. The MMC window will
appear.
2. The main MMC window will have a default name console1. On the
console menu, click Add/Remove Snap-in. A new dialogue box should
open.
3. Click on Add. A new dialogue box Add Standalone Snap in should open
4. Click on Security Configuration and Analysis, and click on Add.
5. Also click on Add for Security Templates, and Group Policy Object
Editor. Both “snap ins” should have been transferred on the screen to the
add/remove snap in window.
6. Click Close, and then OK, to remove the two dialogue boxes
7. On the main console menu, click Save As to save the console file
8. Right click on the security configuration and analysis snap in, and use
Open Database feature to create and save the console database with
associated policy template to a suitable folder as a file named
SecurityTools (The sdb suffix is added automatically).
9. Now right click on the security configuration and analysis snap in and click
on analyse computer now, to get a full run down of the current settings –
which make up the “local policy” (ie settings for the local machine).
10. Select local policies look at the settings in each category. Plenty of
options available… are they all appropriately set?
11. When you select security settings, linger a little longer. You should now
be presented with a particularly large number of settings that control
security aspects of local policy. Note that each setting can be set to
enabled, disabled, or not configured.
The “local machine” settings (copied into registry and held there from boot up
onwards) interact with group policy security settings after domain logon to
provide a security profile that is appropriate for that group of users.
2
Exercise 5 (b): Creating a Policy from a Template
A group policy is particularly useful when it is applied at domain level, to provide
local control of settings whenever a user logs on based on the group(s) they
belong to. Group policies don’t just stop at the domain level, but can apply right
across a domain tree.
1. The Group Policy Object Editor is divided into two basic sections,
Computer Configuration and User Configuration.
Computer configuration settings such as audit policy, (all) user rights
assignments, and security options) are associated with the local policy
object, whilst User Configuration relates to the settings that relate
directly to user desktop settings.
2. Do a bit of exploring to find out where the security settings you looked at
through the analysis tool are actually stored.
As there is no domain to administer at the moment, you can only apply
security settings via template to “local policy”. Nevertheless, what follows
is a useful exercise…
3. Double click on security templates… Now double click again to provide a
list of seven pre-prepared templates. Look at the contents of each in
turn. In particular, look at the three categories in “account policies” and
“local policies”. Also, note that “system services” contains settings for all of
the Windows programs offered as “services”, which may currently be
“undefined”.
4. Make a note of the name, and double-click on one of these files. As you
can see, it is just a configuration file containing lots of settings, rather like
a registry file. The settings are divided into a series of sub-groups (e.g.
account policy, local policies, event log, restricted groups…), and provide
the basis of a security policy for users and groups of users. Double-click
as necessary to look closely at all the settings.
5. Now repeat 4 with a different template file. Can you see how the template
file relates to its function?
6. Working with a partner, spend some time discussing the appropriateness
of each of these settings for users on a typical medium-security network
3
connected to the Internet. A print out of some settings is available, and
might be helpful to you, but if a setting is not currently defined, it will not
be displayed at all.
7. Make a note of the agreed settings you would wish to impose on users as
a local policy. Be prepared to defend such changes in a discussion… Now
change the settings on one of the templates, and resave it with a different
name. You can save your template file to a USB stick if you wish.
8. Finally… (if someone lets you…) you may be able to use the modified
template file try out security settings applied locally to another computer.
Exercise 5(c) Applying security policies to domains
For controlling security on a real network, this is the really important part…
Fortunately… the principles are the same as for local policies, but there is more
to manage. Implementation of group policies may be outside the time constraints
of this session (you can always come back another time…)
One way to investigate group policies is from Active Directory…
1. Open the Active Directory Management Console (Active Directory
Users and Computers).
2. Locate the container in which your user objects reside (usually an
Organizational Unit).
3. Right-click the container in the left panel tree view and click Properties.
4. Click the Group Policy tab in the Properties dialog.
5. Click New, to add a new Group Policy,
6. Fill in a new Policy name and click Edit.
7. create the group policy… (only joking!!!)
8. Click OK & Close the Group Policy Object Editor.
Another way to control Group Policy settings is to use the legendary GPMC
snap in for MMC… (try this also, if you have time. It is meant to be quick!)
However, you will need to install it first.
4
Exercise 5(d): Creating and Accessing Group Policy
1. MMC again…
2. Double-click Active directory sites and services snap-in from the Available
standalone snap-ins list box.
3. In the Select Group Policy object dialog box, Local computer is selected under
Group Policy object. Click Finish to edit the local Group Policy object. Click
Close in the Add standalone snap-in dialog box.
4. In the Available standalone snap-ins list box, double-click Group Policy.
5. In the Add/Remove Snap-in dialog box, click the Extensions tab. Ensure that
the Add all extensions check box is checked for each primary extension added
to the MMC console (these are checked by default). Click OK.
6. Click Close, and then OK, to remove the two dialogue boxes
7. On the main console menu, click Save As, in the File name text box, type
GPWalkthrough, and then click Save.
Accessing: From Active Directory Sites and Services…
1. In the GPWalkthrough MMC console, in the console tree, click the + next to Active
Directory Sites and Services.
2. In the console tree, right-click the site for which to access Group Policy.
3. Click Properties, and click Group Policy.
Accessing: From Active Directory Users and Computers
1. In the console tree in the GPWalkthrough MMC console, click the + next to Active
Directory Users and Computers.
2. In the console tree, right-click either the reskit domain or the OU for which to access
Group Policy.
3. Click Properties, and click Group Policy.
Note: To access Group Policy scoped to a specific computer (or the local computer), load the
Group Policy snap-in into the MMC console namespace targeted at the specific computer (or local
computer). There are two major reasons for these differences:

Sites, domains, and OUs can have multiple GPOs linked to them; these GPOs require an
intermediate property page to manage them.

A GPO for a specific computer is stored on that computer and not in the Active Directory.
5
Exercise 5(e) Scoping a Domain or OU
To scope the domain or OU, use the GPWalkthrough MMC console that you
saved earlier.
To scope Group Policy for a domain or OU
1. Click Start, point to Programs, click Administrative Tools, and click
GPWalkthrough to open the MMC console you created earlier.
2. Click the + next to Active Directory Users and Computers to expand the
tree.
3. Click the + next to reskit.com to expand the tree.
4. Right-click either the domain (reskit.com) or an OU, and click Properties.
5. Click the Group Policy tab as shown in Figure 3 below.
Figure 3: Group Policy Link Management
This displays a property page where the GPOs associated with the selected
Active Directory container can be managed. You use this property page to add,
edit, delete (or remove), and disable GPOs; to specify No Override options; and
to change the order of the associated GPOs. Selecting Edit starts the Group
6
Policy snap-in. More information on using the Group Policy property page and
the Group Policy snap-in can be found later in this document.
Note: The Computers and Users containers are not organizational units;
therefore, you cannot apply Group Policy directly to them. Users or computers in
these containers receive policies from GPOs scoped to the domain and site
objects only. The domain controller container is an OU, and Group Policy can be
applied directly to it.
Scoping Local or Remote Computers
To access Group Policy for the local computer, use the GPWalkthrough console
created earlier in this exercise, and choose the Local Computer Policy node.
You can add other computers to the console namespace by adding another
Group Policy snap-in to the GPWalkthrough console, and clicking the Browse
button when the Select Group Policy object dialog box is displayed.
Note: Some of the Group Policy extensions are not loaded when Group Policy is run
against a local GPO.
7