You are on page 1of 59

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory

Chapter 7: Configuring Group Policy

Objectives
‡ ‡ ‡ ‡ ‡ Describe the architecture and processing of GPOs Configure group policy settings Work with security templates Manage and monitor group policies Configure group policy preferences

MCTS Windows Server 2008 Active Directory

2

Group Policy Architecture
‡ Group policy architecture and function involve the following components:
± GPOs
‡ An object containing policy settings that affect user and computer operating environments and security; can be local or AD objects

± Replication
‡ Ensures that all domain controllers have a current copy of each GPO

± Scope and inheritance
‡ The scope of a group policy defines which users and computers are affected by its settings

± Creating and linking
‡ GPOs are created in the Group Policy management console and can be linked to one or more AD containers
MCTS Windows Server 2008 Active Directory 3

Group Policy Objects (GPOs)
‡ A GPO contains policy settings for managing many aspects of domain controllers, member servers, member computers, and users ‡ Two main types of GPOs
± Local GPOs ± Domain GPOs

MCTS Windows Server 2008 Active Directory

4

Local GPOs
‡ Local GPOs are stored on local computers and are edited via the Group Policy Object Editor snap-in ‡ Settings in local GPOs that are inherited from domain GPOs can¶t be changed on the local computer ‡ Only settings that are undefined or not configured by domain GPOs can be edited locally

MCTS Windows Server 2008 Active Directory

5

especially for conflict resolution (last policy setting takes precedence) MCTS Windows Server 2008 Active Directory 6 .New Local GPOs in Windows Vista and Server 2008 ‡ New policies allow setting of different policies depending on who logs on to the computer ± Local Administrators GPO ± Local Non-Administrators GPO ± User-specific GPO ‡ If these policies are used. they are processed in the above order.

Domain GPOs ‡ Domain GPOs are stored in Active Directory on domain controllers ‡ Consists of two separate parts: a group policy template (GPT) and a group policy container (GPC) ‡ GPT and GPC have naming structure and folder structure as common traits ‡ Knowing GPO structure is important for resolving issues MCTS Windows Server 2008 Active Directory 7 .

several files and subfolders are created (exact number may vary).Group Policy Templates ‡ A group policy template contains all the policy settings that make up a GPO as well as related files. and is contained in the Sysvol share on a domain controller ‡ Upon creation of a GPO.ini ± Machine ± User MCTS Windows Server 2008 Active Directory 8 . but each GPT folder will contain at least three items ± GPT. such as scripts.

Group Policy Containers ‡ Stored in the System\Policies folder ‡ Contains GPO properties and status information but no policy settings ‡ Similar to GPT in that it uses a GPO¶s GUID for a folder name ‡ Information contained in a GPC ± ± ± ± Name of the GPO File path to GPT Version Status 9 MCTS Windows Server 2008 Active Directory .

) MCTS Windows Server 2008 Active Directory 10 .Group Policy Containers (cont.

exe MCTS Windows Server 2008 Active Directory 11 .Group Policy Replication ‡ GPCs are replicated with Active Directory ‡ GPTs are replicated by one of the following methods: ± File Replication Service (FRS) ‡ Used when running in a mixed environment of differing Windows Server operating systems ± Distributed File System Replication (DFSR) ‡ Used when all DCs are running Windows Server 2008 ‡ DFSR is more efficient and reliable ‡ GPC and GPT can become out of sync ‡ Replication problems can be diagnosed with Gpotool.

Creating and Linking GPOs ‡ Primary tools for managing. changes in policy settings take effect as soon as clients download them ‡ Before introducing multiple policy changes at once. creating. and editing GPOs are Group Policy Management Console (GPMC) and Group Policy Management Editor (GPME) ‡ If editing a GPO that is already linked to a container. test them individually MCTS Windows Server 2008 Active Directory 12 .

but not advisable ‡ Recommended method for making changes to domain policies is creating a new GPO and linking it to the domain ‡ GPOs are applied to objects in reverse of the specified link order MCTS Windows Server 2008 Active Directory 13 .Editing an Existing GPO ‡ To edit. right-click the GPO in GPMC and click Edit. which will open the GPO in GPME ‡ It is possible to make changes to the Default Domain Policy.

Creating a New GPO ‡ Two ways to create a new GPO with the GPMC ± Right-click the container you¶re linking the GPO to and select ³Create a GPO in this domain. and Link it here´ ± Right-click the Group Policy Objects folder and click New ‡ Best practice is to create GPOs that focus on a category of settings and then name the GPO accordingly MCTS Windows Server 2008 Active Directory 14 .

Using Starter GPOs ‡ A Starter GPO is a template for creating GPOs (not a GPT) ‡ New GPO wizard includes option to use a Starter GPO ‡ Stored in the Starter GPOs folder in GPMC ‡ To use a Starter GPO. right-click the Starter GPOs folder and click New MCTS Windows Server 2008 Active Directory 15 . select one in the Source Starter GPO list box in the New GPO Wizard or right-click a starter GPO in the starter GPOs folder and click New GPO from Starter GPO ‡ To create a Starter GPO.

Group Policy Scope and Inheritance ‡ The scope of a group policy defines which objects in AD are affected by settings in the policy ‡ If two GPOs are applied to an object and a setting is configured on one GPO but not the other. the configured setting is applied ‡ Policies are applied in the following order: ± ± ± ± Local policies Site-linked GPOs Domain-linked GPOs OU-linked GPOs MCTS Windows Server 2008 Active Directory 16 .

Understanding Site-Linked GPOs ‡ GPOs linked to a site object affect all users and computers physically located at the site ‡ Can be used to set up different policies for mobile users ‡ In a singular site and domain environment. it is better to use domain GPOs ‡ Site GPOs can be confusing for mobile users if policy changes are drastic enough between sites MCTS Windows Server 2008 Active Directory 17 .

Understanding Domain-Linked GPOs ‡ GPOs at domain level should contain settings that apply to all objects in the domain ‡ Account policies can be defined only at the domain level ‡ Best practices suggest setting account policies and a few critical security policies at the domain level MCTS Windows Server 2008 Active Directory 18 .

Understanding OU-Linked GPOs ‡ Fine-tuning of group policies should be done at the OU level ‡ Users and computers with similar policy requirements should be located in the same OU ‡ Since OUs can be nested. so can GPOs ‡ GPOs applied to nested OUs should be used for exceptions to policies set at a higher level MCTS Windows Server 2008 Active Directory 19 .

Changing Default GPO Inheritance Behavior ‡ GPO inheritance is enabled by default ‡ To see where policies are inherited from. select a container in the left pane of GPMC and click the Group Policy Inheritance tab in the right pane ‡ There are several ways to affect GPO inheritance ± ± ± ± Blocking inheritance Enforcing inheritance GPO filtering Loopback policy processing MCTS Windows Server 2008 Active Directory 20 .

the OU or domain object is displayed with a blue exclamation point ‡ Frequent blocking implies a possible flawed OU design MCTS Windows Server 2008 Active Directory 21 . right-click the child domain or OU and click Block Inheritance ‡ If blocking is enabled. in GPMC.Blocking GPO Inheritance ‡ Prevents GPOs linked to parent containers from affecting child containers ‡ To block GPO inheritance.

Enforcing GPO Inheritance ‡ Forcing GPO inheritance overrides any conflicting configurations at a deeper level ‡ If multiple GPOs are enforced. the GPO at the highest level is enforced in a conflict ‡ Example: If a GPO linked to an OU and a GPO linked to a domain are both set to be enforced. the GPO linked to the domain takes stronger precedence MCTS Windows Server 2008 Active Directory 22 .

GPO Filtering ‡ GPO filtering allows changing inheritance on an object-by-object basis ‡ Two types of GPO filtering ± Security filtering ± Windows Management Instrumentation (WMI) filtering ‡ Security filtering uses permissions to restrict objects from accessing a GPO ‡ WMI filtering uses queries to select a group of computers based on certain attributes and then applies or doesn¶t apply policies based on the query¶s results MCTS Windows Server 2008 Active Directory 23 .

the policies that affect user settings follow users to whichever computer they log on to ‡ Loopback policy processing allows settings in the User Configuration node of the GPO to be applied to all users who log on to the computer ‡ To use. enable the ³User group policy loopback processing mode´ policy in the Computer Configuration\Policies\Administrative Templates\System\Group Policy node MCTS Windows Server 2008 Active Directory 24 .Loopback Policy Processing ‡ Normally.

should there be a conflict ‡ Three folders under the Policies folder ± Software Settings ± Windows Settings ± Administrative Templates ‡ Policy settings can be managed or unmanaged ± Managed policies reset to µnot configured¶ when the object falls outside of the policy¶s scope ± Unmanaged policies are persistent MCTS Windows Server 2008 Active Directory 25 .Group Policy Settings ‡ Settings in Computer configuration take precedence over settings in User Configuration.

Audit Policy.Policies in the Computer Configuration Node ‡ Applies to computers regardless of who logs on to the computer ‡ Contains most of the security-related settings in the Account Policies. User Rights Assignment. and Security Options nodes ‡ Computer configuration policies are uploaded to a computer when the OS starts and are updated every 90 minutes thereafter ‡ Some policy changes may require a restart MCTS Windows Server 2008 Active Directory 26 .

making installation mandatory the next time the computer starts MCTS Windows Server 2008 Active Directory 27 .Computer Configuration: Software Settings ‡ Contains the Software Installation extension. which can be configured to install software packages remotely ‡ Applications are deployed with the Windows Installer service. which uses MSI files ‡ Software packages are assigned to target computers.

the package can easily be redeployed MCTS Windows Server 2008 Active Directory 28 . click the Advanced option button in the Deploy Software dialog box. it is not installed again by default. however. this will open a Properties box with the following tabs: ± ± ± ± Deployment tab Upgrades tab Categories tab Modifications tab ‡ If changes are made to a package.Advanced Application Deployment Options ‡ When deploying applications.

Computer Configuration: Windows Settings ‡ The Windows Settings folder contains four subnodes ± Scripts (Startup/Shutdown) ‡ Allows the creation of scripts to be run during startup or shutdown ± Deployed Printers ‡ Can deploy printers to computer by specifying the UNC path to a shared printer ± Security Settings ‡ Contains nodes for setting security policies. such as those related to accounts ± Policy-based QoS ‡ Enables administrators to manage the use of network bandwidth MCTS Windows Server 2008 Active Directory 29 .

Security Settings Subnode: Account Policies ‡ Account policies must be linked to the domain to have any effect ‡ Account Policies contains three subnodes ± Password Policy ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ ‡ Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy ± Account lockout policy ± Kerberos policy MCTS Windows Server 2008 Active Directory 30 .

Security Settings Subnode: Local Policies ‡ Applies to what users can and can¶t do on the local computer to which they log on ‡ Usually defined in GPOs linked to OUs containing computer accounts ‡ Three subnodes of Local Policies ± Audit Policy ± User Rights Assignment ± Security Options MCTS Windows Server 2008 Active Directory 31 .

failure. a single object access can create several log entries ‡ Windows Server 2008 logs successful logon events and certain other events by default. or both ± Enable auditing on target objects for success. or both ‡ Auditing involves considerable overhead. even if auditing is off MCTS Windows Server 2008 Active Directory 32 . failure.Auditing Object Access ‡ Two steps for auditing objects ± Enable the Audit object access policy for success.

Fine-Grained Password Policies ‡ Fine-grained password policies allow setting different password and account lockout policies for targeted users and groups ‡ Created by defining a Password Settings Object (PSO) in the Password Settings Container (PSC) ‡ Two tools can be used to create a PSO ± ADSI Edit ± LDIFDE MCTS Windows Server 2008 Active Directory 33 .

3) Policies Windows Firewall with Advanced Security Network List Manager Policies Wireless Network (IEEE 802.Additional Security Settings Subnodes ‡ 13 more subnodes under Security Settings ± ± ± ± ± ± ± ± ± ± ± ± ± Event Log Restricted Groups System Services Registry File System Wired Network (IEEE 802.11) Policies Public Key Policies Software Restriction Policies Network Access Protection IP Security Policies on Active Directory 34 MCTS Windows Server 2008 Active Directory .

adml for language specific ‡ All ADMX and ADML files are under %systemroot%\PolicyDefinitions ‡ Administrative Templates folder has the following subnodes: ± ± ± ± ± Control Panel Network Printers System Windows Components 35 MCTS Windows Server 2008 Active Directory .admx or .Computer Configuration: Administrative Templates ‡ Affects the HKEY_LOCAL_MACHINE section of the computer¶s registry ‡ Administrative template files are XML format files that define policies in the Administrative Templates Folder in a GPO ‡ Uses file format .

Policies in the User Configuration Node ‡ Policies set under the User Configuration node follow a user wherever he or she logs on ‡ Lacks most of the security settings and account policies ‡ Policies under User Configuration node are more focused on the user¶s environment. such as Windows features that can and can¶t be accessed MCTS Windows Server 2008 Active Directory 36 .

but there are two options ± Published ‡ Isn¶t installed automatically. includes a link to the application in Programs and Features or Add/Remove Programs ± Assigned ‡ Applications are advertised as a link on the Start menu MCTS Windows Server 2008 Active Directory 37 .User Configuration: Software Settings ‡ Performs the same function as in Computer Configuration. but with important differences in options and execution ‡ Software package can only be assigned to a computer.

User Configuration: Windows Settings ‡ Windows Settings contains seven subnodes ± ± ± ± ± ± ± Remote Installation Services Scripts (Logon/Logoff) Security Settings Folder Redirection Policy-based QoS Deployed Printers Internet Explorer Maintenance MCTS Windows Server 2008 Active Directory 38 .

Security Settings Subnode: Software Restriction Policies ‡ Designed to prevent users from running certain applications or to allow users to only be able to run specific applications ‡ Security Levels folder contains three rules ± Disallowed ± Basic User ± Unrestricted ‡ Additional rules folder is for exceptions and contains four ways to identify exceptions ± ± ± ± Hash Certificate Path Network zone ‡ Three policies can be configured ± Enforcement ± Designated File Types ± Trusted Publishers MCTS Windows Server 2008 Active Directory 39 .

The Folder Redirection Subnode ‡ Allows the redirection of one or more folders in a user¶s profile directory ‡ Useful in ensuring that a user¶s documents are backed up to a server with little to no intervention required from the user ‡ Can help decrease bandwidth usage when roaming profiles are in use MCTS Windows Server 2008 Active Directory 40 .

User Configuration: Administrative Templates ‡ Affects the HKEY_CURRENT_USER section of the computer¶s registry ‡ Very similar to the Administrative Templates in the Computer Configuration node ‡ Contains the following additional subnodes: ± Desktop ± Shared Folders ± Start Menu and Taskbar MCTS Windows Server 2008 Active Directory 41 .

Using Security Templates ‡ Security templates are text files with an .inf extension that contain information to define policy settings in the Security Settings node ‡ Can be used to verify current security settings on a computer against the settings in a template ‡ Three tools for working with security templates ± Security Templates snap-in ± Security Configuration and Analysis snap-in ± Secedit.exe MCTS Windows Server 2008 Active Directory 42 .

Security Templates Snap-in ‡ Can be used to create security templates for use with computers that require different security settings. it is stored under the user¶s Documents folder in Security\Templates MCTS Windows Server 2008 Active Directory 43 . such as servers with different roles ‡ When a user creates a template.

) MCTS Windows Server 2008 Active Directory 44 .Security Templates Snap-in (cont.

for each policy setting.Security Configuration and Analysis Snapin ‡ Useful for checking a computer¶s existing security settings against the known settings in security template files ‡ Can also apply a security template to a computer ‡ Analyzing current security settings against a template creates a report. there are five possible results ± An X in a red circle indicates a mismatch ± A check mark in green indicates a match ± A question mark in a white circle indicates that the policy wasn¶t defined or the user doesn¶t have permission to access the policy ± An exclamation point in a white circle indicates that the policy doesn¶t exist on that computer ± No indicator indicates that the policy wasn¶t defined in the template MCTS Windows Server 2008 Active Directory 45 .

exe ‡ Command-line program that performs many of the same functions as the Security Configuration and Analysis snap-in ‡ Can be automated with scripts and batch files ‡ Can import or export some of or all of the settings between a security database and a template file ‡ Can compare settings between a security database and a computer¶s current settings or apply a database to a computer MCTS Windows Server 2008 Active Directory 46 .Secedit.

delete. modify security Edit Settings 47 MCTS Windows Server 2008 Active Directory .GPO Management with GPMC ‡ GPO Delegation: Eight possible permissions can be applied to GPOs and the container objects to which they¶re linked through delegation ± ± ± ± ± ± ± ± Create GPOs Link GPOs Perform Group Policy Modeling analyses Read Group Policy Results data Read Read (from Security Filtering) Edit settings.

GPO Management with GPMC (cont. it can be in one of the following states: ± ± ± ± ± ± ± Link status: unlinked Link status: enabled Link status: disabled GPO status: Enabled GPO status: User Configuration Settings Disabled GPO status: Computer Configuration Settings Disabled GPO status: All Settings Disabled MCTS Windows Server 2008 Active Directory 48 .) ‡ After a GPO is created.

IPSec policies. and GPO container links ‡ The procedure for restoring a GPO varies depending on whether you wish to: ± Restore a previous version ± Restore a deleted GPO ± Import settings MCTS Windows Server 2008 Active Directory 49 . delegation settings. and WMI filter links ‡ Does not back up WMI filter files.GPO Backup and Restore ‡ Backing up a GPO backs up policy settings but also backs up security filtering settings.

GPO Migration ‡ Migration is useful if multiple domains have similar policy requirements or if you wish to set up a test environment ‡ GPOs can be migrated across domains in the same or different forests by adding the domain to GPMC ‡ GPOs can also be migrated using the backup and import procedure MCTS Windows Server 2008 Active Directory 50 .

Group Policy Results and Modeling ‡ Group Policy Results Wizard creates a report to show Administrators which policy settings apply to a user. computer. or both ‡ Provides the same information as Resultant Set of Policy (RSoP) snap-in ‡ Once the wizard finishes. the report has three tabs: ± Summary ± Settings ± Policy Events MCTS Windows Server 2008 Active Directory 51 .

) MCTS Windows Server 2008 Active Directory 52 .Group Policy Results and Modeling (cont.

Group Policy Results and Modeling (cont.exe performs a similar task as the Group Policy Results Wizard ‡ Group Policy Modeling allows an Administrator to examine the results of policy settings without actually applying anything ‡ Instead of a Policy Events tab.) ‡ Gpresult. it has a Query tab that shows the choices made to produce the report in Group Policy Modeling MCTS Windows Server 2008 Active Directory 53 .

create a folder named PolicyDefinitions in the %systemroot%\SYSVOL\sysvol\domainname\ policies folder and then create a language-specific folder that uses the two character ISO standard for languages. lastly. copy ADMX files to the store location MCTS Windows Server 2008 Active Directory 54 .The ADMX Central Store ‡ ADMX Central Store is a centralized location for maintaining ADMX files ‡ To create a central store.

and shortcuts Create and modify printers Customize application settings ‡ Can use item-level targeting.Group Policy Preferences ‡ Creates a standardized environment while simultaneously allowing users to make changes to configured settings ‡ With group policy preferences. folders. you can perform tasks such as: ± ± ± ± ± ± ± Create and modify local users and groups Enable and disable devices on a computer Create drive mappings Manage power options Create and manage files. which enables administrators to target users or computers for each preference based on a set of criteria MCTS Windows Server 2008 Active Directory 55 .

and creating and linking GPOs.Chapter Summary ‡ Group policy architecture and function involves these components: GPOs. scope and inheritance. replication. link. domain GPOs consist of a GPT stored in the Sysvol share and a GPC stored in Active Directory ‡ GPO replication is handled by Active Directory replication for GPC and by FRS or DFSR for GPTs ‡ You use the GPMC to create. and manage GPOs and the GPME to edit GPOs MCTS Windows Server 2008 Active Directory 56 .

and Administrative Templates MCTS Windows Server 2008 Active Directory 57 . domains. and the last policy setting applied takes precedence when conflicts exists ‡ Default GPO inheritance can be changed by using inheritance blocking. GPO filtering. and OUs. and loopback policy processing ‡ Computer Configuration and User Configuration nodes contain three subnodes: Software Settings. enforcement.Chapter Summary (cont. Windows Settings.) ‡ Starter GPOs are like template files ‡ GPOs can be linked to sites. policies are applied in this order.

Chapter Summary (cont. User Rights Assignment. make it possible for administrators to define different password policies for select groups of users MCTS Windows Server 2008 Active Directory 58 . new in Windows Server 2008. and Security Options ‡ Fine-grained password policies.) ‡ The Security Settings node in Computer Configuration contains the Account Policies subnode with settings that affect all domain users ‡ The Local Policies subnode in the Security Settings node contains Audit Policy.

new in Windows Server 2008. unlike policy settings MCTS Windows Server 2008 Active Directory 59 . enable administrators to set up user and computer environments with preferred settings.Chapter Summary (cont. but these settings can be changed.) ‡ Administrative Templates can control hundreds of settings on computers and for users ‡ Security templates are used to transfer security settings easily from one GPO or computer to another and can be used to analyze a computer¶s current settings against a security database created from one or more security templates ‡ Group policy management involves managing GPO delegation and GPO status as well as GPO backup and migration ‡ Group policy preferences.