GROUP POLICY
An overview of Microsoft Windows
Group Policy
MY CREDENTIALS
 B.S Computer Science
 M.S. Information Technology (2012)
 Certified Information Systems Security Professional (CISSP)
 Network Admin at BCG
 Early NT 3.51 and 4.0 days
 Network Admin and Instructor at Hilbert College
 Transition from NT4 to 2000
 Accounts and Profiles for all students (GPO Based)
 Taught Networking, Databases, Programming in the Computer Security program
there
 An admins perspective who learned it on the job
WHAT IS GROUP POLICY
 Microsoft NT Technology
 Other NOS have their own versions
 Centralized management of clients
 Security management
 Application management
 Profile management
 Can be pushed from domain
 Can be modified locally for individual clients
 Local policy objects not as in depth
 Can be pushed as part of disc imaging
WHAT CAN IT DO FOR ME
 Manage security
 Firewall and Networking
 OS configuration restrictions
 Reduce workstation downtime
 Can restrict users from modifying potentially damaging settings
 Manage applications
 Whitelist available applications
 Control which applications are visible
 Roaming profiles
 Centralized data storage
 Full or partial
NOT A SILVER BULLET
 Only as effective as the Information Security Policies it is enforcing
 Needs to be a part of security in depth
 Can be complex to implement and manage
 Improper management can interfere with business goals
 Easy to lock down a machine tighter than it needs to be
 Applications typically use voluntary enforcement
 Possible to modify or interfere an application reading its policy
WHAT DO I NEED TO USE IT
Domain Based Policy
Local Policy
 Active Directory Domain
 Windows NT based OS’s
 Install Group Policy
 No domain needed
Management Objects
 Server Roles vary by OS
version
 Can be managed using remote
administration tools from Vista
(2003 Domains) or Windows 7
(2008 Domains)
 Easily configured on XP and
above
 Can be used in conjunction
with domain policies
 Configured locally on the target
client
MANAGEMENT TOOLS
 Group Policy Management Console (GPMC)
 Suite of tools in 2003
 Unified tool in 2008
 Cmdlets
 Powershell extensions that allow scripting
 Local Policy Editor
 Pre Win 7 one user policy for all users
 Gpupdate
 Forces update of policy on machines (XP and later)
WHAT IS A GPO?
 Collection of settings that can be used in a Group Policy
 Most modify registry settings
 Can also be processed by extending applications
 Can be applied to users or computers
 Can be inherited
 Can be linked to multiple policies
POLICY OBJECT TYPES
Computer Policy
 Applies based on the Computer
Account
 Useful to configure settings on
User Policy
 Applies based on the logged in
User Account
 Setting travel with the user
a specific workstation
 Roaming Profiles go here
 Same for all users on that
 Example: Password policy
machine
 Example: remove start menu on
public machine
HOW IT WORKS
 Machine Boots up
 Machine policy downloaded and applied
 User Logs in
 User Policy downloaded and applied
 Settings may be cached
 90 +/- 30 min for clients
 gpupdate to refresh immediately
APPLYING MULTIPLE POLCIES
 Local Group Policy objects - Computer's local policy (accessed by
running gpedit.msc).
 Site - Group policies that are applied to the AD Site
 Lowest link order processed last, overrides higher links
 Domain - Group policies specified for the AD Domain
 Lowest link order processed last, overrides higher links
 Organizational Unit - Policies for User or Computer OUs
 Lowest link order processed last, overrides higher links
 Inheritance - Inheritance can be blocked or enforced to control what
policies
 Use GPMC to see what will actually be applied
TYPICAL POLICY COMPONENTS
 Administrative Templates
 Security Settings
 IP Security Policy
 Software Restriction Policies
 Wireless Network Policies
 Public Key Policies
 Software Installation
 Remote Installation Services
 Scripts
 Internet Explorer Maintenance
 Folder Redirection
 Disk Quotas
 QoS Packet Scheduler
 Custom Registry Modifications
CREATING A POLICY
 Demonstration
ROAMING PROFILES
 Can redirect some or all user data
 Can redirect different sections to different locations
 Administrators do not have access to redirected profiles (by default)
 Allows for centralized backup
 User is no longer dependent on specific machine for user data
 Typically redirected profile folders
 My Documents,
 Application Data,
 Desktop,
 Start Menu
 Folder redirection is under User Settings, Windows Settings
TIPS AND TRICKS
 Lock down Regedit
 Be extremely careful when applying policy to admins and domain
controllers
 Calculate space requirements before trying to redirect folders
 Consider implementing quotas
 Gpanswers.com
 Learn to use MSDN and Technet
 Set up a lab environment and play
GETTING STARTED WITH
COMMON DEPLOYMENT SCENARIOS
 Lightly Managed
 Mobile
 Multi-User
 App Station
 Task Station
 Kiosk
 GPOs can be obtained for these from:
 Implementing Common Desktop Management Scenarios with the Group
Policy Management Console
 http://technet.microsoft.com/en-us/library/cc758350(WS.10).aspx
LIGHTLY MANAGED
 Power Users and Developers
 Is the least managed of all of the scenarios.
 Allows users to customize most settings that affect them but prevents them from
making harmful system changes.
 Includes settings that reduce help desk costs and user downtime.
 Full Roaming Profiles with local caching
 speeds up login/logout
 Core set of applications which are always available.
 Users can also install applications
MOBILE
 Laptop and Mobile User Support
 disconnected user who frequently needs to work offline
 Does not require high speed link
 Offline files
 Partial Roaming to support offline files
 Allows users to disconnect from the network without logging off or
shutting down.
MULTI-USER
 Computer laboratory or library
 Allows basic customization of the desktop environment.
 Allows screen saver, background, etc. but no hardware or OS configuration
 Full Roaming Profiles with no caching to protect privacy
 Restricted write access to the local computer
 Can only write data to their own profile
 Highly secure.
APP AND TASK STATION
 Highly restricted configurations with only a few applications.
 Vertical applications such as marketing, claims, and customer-service scenarios.
 Allows minimal customization by the user.
 Allows users to access a small number of applications appropriate to their job role.
 Does not allow users to add or remove applications.
 Full Roaming Profiles with caching
 Provides a simplified desktop and Start menu.
 Restricted write access to the local computer
 Can only write data to their user profile and to redirected folders.
 Is highly secure.
 Task Station
 Only one app available and no start menu
KIOSK
 Unattended machine in a public area, highly secure
 Is a public workstation.
 Runs only one application.
 Uses only one user account and automatically logs on.
 The system automatically resets to a default state at the start of each session.
 Runs unattended.
 Is highly secure.
 Does not allow users to make changes to the default user or system settings.
 Does not save data to the disk.
 Is always on (no log off or shutdown).
Q &A
 Questions, comments?
 My contact info again:
 Patrick Lupiani
 plupiani@gmail.com or plupiani@BuffaloComputerGraphics.com
 716-822-8668