Active Directory Group Policy

Active Directory Group Policy
Group Policy Overview
 Successor to NT policies
Much more flexible
 Only applies to 2000 workstations
Use old style policies for NT
 Used to manage desktop environment
 Integrated into Active Directory
What Can Group Policy Manage?
 Administrative Templates — registry-based settings
 Security settings
 Software installation
 Scripts
Login, logout, startup, shutdown
 Folder redirection
 Remote Installation Services
 Internet Explorer maintenance
Registry-based Settings
 Control over desktop, control panel access, Start Menu and
Taskbar, some Windows components, and more…
 Generally three settings — Not configured, Enabled, Disabled
 Implemented via Administrative Templates
Text file with .adm extension
Can create your own
Some programs ship with their own (Office)
Security Policy Settings
 Account Policies — password, account, Kerberos
 Local Policies — auditing, user rights, security options
 Event Log — e.g. maximum size
 Restricted Group — group membership
 System Services — security and startup settings
 Registry — registry key security
 File System — file system security
 Public Key Policies — encryped data, certificate authorities
 IP Security Policies — IP security
Software Installation
 Use to install software
 Use to upgrade software
 Three methods
Assign applications to users
Assign applications to computers
Publish applications to users
 Available
to users, but not installed unless requested
Script Settings
 Assign scripts (login, logout etc.)
 Set processing order
Folder Redirection
 Redirect special folders
Start Menu, Desktop
My Pictures, My Documents, Application Data
 Choices
No redirection
Direct to same location
Different locations based on security groups
Parts of Group Policy Objects
 Each GPO has two sections
Computer Configuration
User Configuration
 Each part may be disabled
Properties of GPO/General
 Recommended — if a section is unused, disable it
E.g. On GPO to configure user desktop, disable
Computer Configuration section
Creating Group Policy Objects
 AD Users and Computers
Properties of Domain/OU
Creates new GPO linked to that domain/OU
 AD Sites and Services
To create site GPO
 Also via MMC Group Policy Snap-in
 To create a GPO not linked to a site, domain or OU
How are Group Policy Objects Applied
 GPOs may be linked to AD containers
Sites, Domains and Organizational Units (OUs)
Apply to users and computers within container
 Objects in child OUs inherit GPO settings from parent OUs,
domain and site unless explicitly blocked
 No
inheritance across domain boundaries
 One GPO may be linked to multiple containers
 Multiple GPOs may be linked to a container
 GPOs are not linked to groups
Modifying GPO Inheritance
 Block Inheritance
If enabled on a container, objects in container do not
receive any GPO settings from parent containers
 No Override
If enabled on a GPO link, inheritance of GPO settings
cannot be stopped via block inheritance
NB Applied to link, not the GPO itself
Filtering Group Policy Settings
 GPO settings applied to all objects in container
 Filter using security groups
Change default GPO permissions
 Need
Read and Apply GP ACEs to be able to apply a GPO
 Need Read and Write GP ACEs to be able to read and
modify a GPO
Deleting and Disabling Group Policy
 Disabling a GPO
 Disable Computer or User sections
 Disable both to disable GPO entirely
 Also disable using Options button in AD Users and
Computers/Container Properties
 Deleting a GPO
 AD Users and Computers
 Will be offered two options
 Remove the link from the list — deletes link but not GPO
 Remove the link and delete the GPO permanently — deletes GPO
Disabling and Inheriting:— What do the
Properties Belong to?
 Properties of a given GPO
Disable Computer Configuration Settings
Disable User Configuration Settings
 Properties of a given container
Block policy inheritance
 Properties of a given link
No override
Disabled: the GPO is not applied to this container
Storage of Group Policy Objects
 Group Policy Container (GPC)
 Active Directory object storing version, status etc.
 View by enabling Advanced Features in AD Users and Computers,
then System/Policies
 Named by GUID
 Group Policy Template (GPT)
 Sysvol\Policies folder
 Contains all GP) settings
 Named by GUID
 GPC and GPT replicated separately
 Policies only apply if both GPC and GPT are in sync
Storage of Group Policy Settings
 Stored in client registry
HKEY_LOCAL_MACHINE (Computer settings)
HKEY_CURRENT_USER (User settings)
 Special registry keys used
\Software\Policies (preferred)
 Removed when GPO no longer applies
Order of GPO Application
 Order of application is Site, Domain OU (SDOU)
 Multiple OUs — order of application is according to
domain hierarchy (start at top of tree and work down)
 Multiple GPOs for same OU — processed in reverse
order of list of GPOs shown for that OU
I.e. GPO at top of list takes precedence
Order can be changed
When are GP Settings Applied?
 Computer settings
On boot
According to periodic refresh cycle
 User settings
On user logon
According to periodic refresh cycle
 If computer and user settings conflict, computer
settings take precedence
Refreshing Group Policy
 Default refresh intervals
2000 professional and member servers — very 90
minutes with randomized 30 minutes offset
Domain controllers — every five minutes
 Changed by altering administrative template settings
for user or computers
 Exception — software installation and folder
redirection policies only applied on boot or user
logon, not periodically
 Where settings for GPO of parent container conflict
with those for GPO of child, child container settings
 Where settings from different GPOs linked to same
container conflict, settings of GPO highest in list are
Use Up/Down to change position
 Exception — where computer and user settings
conflict, computer settings win
Except IP Security and User Rights settings
Managing Group Policy Objects
 Creating or editing GPOs controlled by PDC emulator by
Minimise conflicts
 To change
Group Policy mmc snap-in/View/DC Options
Or use Group Policy
 Recommended that this is left unchanged
 NB By default, only Domain Admins, Enterprise Admins,
Group Policy Creator Owners and System account can create
and edit GPOs
Loopback Processing
 Computer settings part of GPO linked to OU apply
only to computers within OU
 Similarly, user settings apply only to users within OU
 Therefore, normally, user in OU A logging on to
computer in OU B gets combination of user settings
from OU A GPOs and computer settings from OU B
GPOs (and any inherited etc.)
Loopback Processing cont.
 May want to apply same user settings to any user
logging on to a given workstation, regardless of user
E.g. classroom, public area workstations
 Loopback processing does this
Merge mode applies normal GPOs for user as well (but
those from computer take precedence)
Replace mode does not apply normal GPOs for user
Local Group Policy
 Computers also have a single Local Group Policy Object
 Only supports Security Settings, Administrative Templates
and Scripts
 Processed before AD GPOs
Block inheritance does not stop its application
 Generally unused in an AD setup
Most useful for configuring standalone computers
 It is possible to delegate responsibility for the
following tasks
Managing links
Creating GPOs
Editing GPOs
DomainExceptions for Domain
 Some settings only from GPOs linked to domain
Domain controllers share same account database so some settings
must be the same
Not applied to Domain Controllers OU because DCs may be moved
out of this OU
 NB Can change these settings in other GPOs but will have no
effect on domain policy
Will affect local logons (i.e. non-domain) if they apply to
workstations or member servers
Exceptions for Domain Controllers cont.
 Domain-wide settings
All account policies (Computer Configuration/Windows
Settings/Security Settings)
 I.e. Password, Account lockout and Kerberos policies)
Some settings from Computer Configuration/Windows
Settings/Local Policies/Security Options
 Automatically log off users when logon time expires
 Rename administrator account
 Rename guest account
Common Desktop Management
 Package containing GPOs developed for six different
scenarios that can be loaded into AD
Includes white paper describing scenarios
Excel spreadsheet documenting all GPO settings
 Scenarios are for the following
 Lightly Managed Desktop (e.g. power user)
 Mobile User
 Multi-User Desktop
 AppStation (Highly Managed Desktop) (e.g. admin user)
 TaskStation (e.g. single task)
 Kiosk (e.g. public workstation)
Common Desktop Management
 NB Loading GPOs into AD does not mean they take
immediate effect
Not linked to any container
 Use as starting points
 Use Excel spreadsheet to document GPO changes
Common Desktop Management
 White paper
 All files
OU Design Issues
 Deep OU structure
Easier to apply GPOs without filtering
More likely to require inheritance modifications
 Flat OU structure
More likely to need filtering
Easier to troubleshoot (less inheritance issues)
Number of GPOs Required
 Few comprehensive GPOs
Less to manage
Shorter logon times
 Many narrowly focussed GPOs
More to manage
Likely to need to more filtering
Increased logon times
 In theory, up to 20 GPOs applying to a user should not have
major impact on logon times
 Disable unused parts of GPO (computer, user
 Limit use of inheritance blocking, no override,
loopback processing and filtering
Simplifies troubleshooting
 Limit total number of GPOs that apply to a user or
Improves logon times
Recommendations cont.
 Limit the number of admins who can edit GPOs
 Test thoroughly before applying to users/computers
 Document settings
Use spreadsheets from Common Desktop Management
Scenarios package
 Windows 2000 Group Policy
 Loopback Processing of Group Policy
 How to Use Group Policy Objects to Deploy SP1 for
Windows 2000
 Group Policy Application Rules for Domain
 Domain Security Policy in Windows 2000
 Configuring Account Policies in Active Directory
Diagnosing Problems
 Resource kit
 Gpotool.exe
 Gpresult.exe
 FAZAM 2000
 Help to see end results of applying a number of GPOs
 Reduced functionality version
 Full, commercial version