P. 1
What is Group Policy

What is Group Policy

|Views: 25|Likes:
Published by RAJU

More info:

Published by: RAJU on Aug 19, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

08/19/2010

pdf

text

original

What Is Group Policy Administrators of large Windows installations don't configure each workstation and server in the enterprise

individually. Rather, they use a mechanism known as group policy to specify security policy and other settings that should be used throughout the domain. As a designer or developer you should know at least a little bit about this mechanism, because it's often used to lock down security throughout an enterprise. It's also used to distribute software applications and patches, as I discuss in HowToDeploySoftwareSecurelyViaGroupPolicy. You can do some exploring of group policy even if you're at home working on a Windows XP box and not a member of a domain. From an administrative command prompt, just run gpedit.msc to look at a few of the settings on your computer that can be affected by group policy. First of all, note that at the very highest level group policy is split into two categories: Computer Configuration and User Configuration. Each time a computer in a domain boots up, it downloads the Computer Configuration section of any group policies in Active Directory that pertain to that computer. Similarly, each time a user logs in to a machine interactively, an automatic download of the User Configuration section of any pertinent group policy occurs. In a domain environment, security settings on your workstation may change when you boot up or log in because a domain administrator made changes in policy somewhere upstream. If you drill down in both the Computer and User Configurations, into Windows Settings, and then into Security Settings, you'll see that the vast majority of security policy is controlled in the Computer Configuration section (see Figure 74.1). Here's where privileges are granted, auditing is enabled, and IPSEC is configured, for example. If you look at a group policy object in a domain setting, you'll see even more security settings. For example, you can specify ACLs on files, directories, registry keys, and even services.

Suffice it to say that in most nontrivial Windows deployments. By default there's only one. the Default Domain Policy. then click the Group Policy tab.Figure 74. The most common place where group policy is used is on individual domains. and for a lot of systems that one policy will suffice. If you right-click a domain and ask for its properties. . Often more than one policy applies to any given user or machine. Just run the Active Directory Users and Computers console and drill down into a domain. you'll see a list of links to group policy objects in Active Directory that apply to that domain. you can see where group policy is configured. security settings are usually synchronized throughout a domain using group policy.1 Exploring group policy If you have administrative access to a domain.

I'm indicating that my policy will have no effect at all on those settings. if you double-click the privilege in the local security policy.1 .Figure 74. none of the privileges are defined except for the SeBackupPrivilege. but note how the icon for SeBackupPrivilege is different in the local policy. It's a little subtle. After rebooting a computer in the domain.2. If no group policy in Active Directory defines a particular setting. What's interesting about these policies is that they look really complex to begin with. in the section of my policy that deals with privileges (WhatIsAPrivilege). which I said should be granted to a domain group called ACME\Backup. but they don't say anything at all until you drill into them and start setting policy. you'll see that you're prevented from changing it.3). By leaving those other settings as Not Defined.2.2 Adding a new group policy object I've added a new group policy object in Figure 74. In fact. I took a snapshot of what its local security policy looked like (Figure 74. the local administrator is free to choose the value of that setting herself. For example. This is telling you that it's been set by group policy and can no longer be configured locally. note how in figure 74.

the command is a bit different but achieves the same thing: secedit /refreshpolicy machine_policy). the local security policy editor. But what if you want to get these computer settings refreshed without having to reboot your machine? There are a couple of ways this can happen. My demonstration was of a group policy object attached to a domain. which is applied each time the computer boots. One way would be programmatically: You could even use the code I provide in . but there are switches that you can throw (such as No Override or Block Policy Inheritance) that help manage conflicts. Drill into Administrative Templates/System/Group Policy. The first is to force a manual refresh by running gpupdate from a command line (if you're on a Windows 2000 box. Oh. Here you'll find settings that control auto-refresh. The second way is to force a periodic refresh of policy.3 Local security policy after a group policy download There are a number of places that group policy can come from. right-click on the Security Settings node and choose Reload. For further reading. You can read more about these details in the Windows 2000 Server Resource Kit. The policies higher in the tree generally take precedence over those lower in the tree.2 Most security settings in group policy are specified in the Computer Configuration section. say.Figure 74. but technically these objects can also be associated with an organizational unit (OU) or a site in Active Directory. To force the GUI to display the new settings. check out HowToDeploySoftwareSecurelyViaGroupPolicy to learn how to use group policy to deploy software. and if you happen to force an update of policy while you're looking at. 1 The GUI prevents you from changing it. the GUI won't immediately refresh and show the new policy in force. which you can specify by drilling down into the Computer Configuration of a group policy object. but an administrator of a machine owns that machine and can ultimately change these settings locally.

. in a part called Desktop Configuration Management. don't you?). you better not allow individual users to administer their own machines in the domain! 2 This is part of the MSDN Library (you do subscribe. The section on group policy is in the Distributed Systems Guide. Just keep in mind that if you want these domain-wide settings and restrictions to have any teeth.HowToGrantOrRevokePrivilegesViaSecurityPolicy to do this (not that I'm suggesting you do).

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->