MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)

Lesson 2: Configuring Group Policy

Now that you've modeled the structure of a typical organization using Active Directory, you have classes of users and computers to which you can apply specific computer configurations by creating a Group Policy.


After this lesson, you will be able to

Estimated lesson time: 30 minutes


Understanding Group Policy

Group Policy is a combination of user interface restrictions and administrative settings that can prevent users from making changes to the computers' configurations or operating the computers in a manner that might violate the organization's security posture. Group Policy can also contain scripts and installation packages to establish a consistent work environment for users.

Group Policy is deployed to users and computers by linking a GPO to Active Directory containers such as sites, domains, OUs, and individual computers. A GPO is a directory containing all the files that are required to enact a Group Policy, and is explained in detail in this lesson. When a GPO is linked to an Active Directory container, it applies a Group Policy to all the computers within that container when they are booted and to all users within that container when they log on to a computer, whether or not the computer is also contained within that container.

Using this simple deployment mechanism, Group Policy provides an automated way for administrators to

To sum up, Group Policy allows administrators to configure administrative and security settings for classes of users and computers and apply them automatically wherever the computers are located and whenever users log on, irrespective of the computer they use.

Linking Group Policy to Active Directory Containers

Administrators can apply GPOs to Active Directory objects by linking them to an Active Directory domain or OU objects using the Active Directory Users And Computers management console, or by linking them to site objects using the Sites And Services management console. A specific GPO can be linked to any number of Active Directory objects. You can link a GPO to a domain or OU in two ways:

Local Group Policy

Local GPOs are GPOs that are stored directly on client computers rather than downloaded from a domain controller. Because they are stored locally, they are always available, even when the computer has no connection to the network or is not a member of a domain.

When Windows starts, local GPOs are applied first. Local GPOs are normally used to control settings on computers that are not part of a domain or are unable to contact the domain, but they can be used on any computer regardless of its domain membership. After local Group Policy settings are applied, computers that are members of a domain then download GPOs from domain controllers based on the computer's membership in a domain, site, or OU, and apply those settings.

Because local GPOs are applied first, their settings are frequently overridden by domain Group Policy settings.

Active Directory Group Policy

Every GPO has two components:

After Windows applies local Group Policy to computers in a domain when they start, it downloads the Computer Configuration portion of any GPOs from Active Directory that apply to them. It then applies the Computer Configuration portion of all GPOs before displaying the logon prompt.

When users log on, the process is repeated for the User Configuration portion of the same set of GPOs.

GPOs cannot be applied if the user does not have Read and Apply permissions to the GPO. Because Read and Apply permissions are required, permissions can be used to filter the application of Group Policy based on user membership in a security group. Permissions are the subject of Chapter 4, "Account-Based Security."

Group Policy Application Order

GPOs are applied in the following order by default:

  1. Local Group Policy

  2. Site-linked Group Policy

  3. Domain-linked Group Policy

  4. OU-linked Group Policy

Domain and OU GPOs are downloaded and applied in hierarchical order from parent to child within the Active Directory structure. For example, if a computer were located within the Sales OU in the example domain created in Lesson 1, it would download Group Policy settings applied to the domain.fabrikam.com domain, the Marketing OU, and the Sales OU, in that order.

Unless a GPO is specifically set not to allow overrides, Group Policy settings automatically override the same Group Policy settings applied by earlier GPOs. For example, if a Group Policy for the Marketing OU specifies that objects on the desktop should be disabled, but the same Group Policy setting for a GPO linked to the Sales OU specifies that they should be enabled, they will be enabled for a computer in the Sales OU but disabled for a computer within the Marketing OU.

Administrators can change the default order in which GPOs are applied by modifying the settings for the link between the Active Directory object and the GPO (as discussed later in this lesson).

So that you can more easily determine the combined effects of GPO settings, it is good practice to construct Group Policy settings that are more specific and more restrictive as you descend through the Active Directory container hierarchy.

Administrators can also modify the application order of GPOs for any Active Directory container. By modifying the application order, administrators can prioritize certain GPOs to ensure that their settings will override other GPOs, or flag a GPO to prevent its settings from being overridden no matter when it is applied. For example, you might have a GPO that contains critical password policies that you want to have enforced no matter what policies might be set in other GPOs. By prioritizing that GPO, you ensure that it is applied last and that its settings override those contained in other GPOs.

Physical Structure of GPOs

Physically, GPOs are packages of files that are interpreted on the client computers to which the GPO is linked. GPOs are stored as folders and files in the domain controller's SYSVOL share and are automatically replicated among domain controllers.

Group Policy is implemented by a number of distinct components called Group Policy client-side extensions. Each extension interprets the specific files stored in the GPO in Active Directory that pertain to it and makes various changes to the client based on the settings contained in the GPO. The various Group Policy client-side extensions manage

In addition to these functions, independent software vendors (ISVs) can create additional Group Policy client-side extensions, and Microsoft can release more of these extensions in future versions of Windows.

The various Group Policy client-side extensions account for the wide range of functionality in Group Policy. Group Policy is not just registry settings, or registry settings plus scripts plus installation policies. Group Policy is any type of file contained in a GPO and interpreted by a Group Policy client-side extension. This extensibility of Group Policy is one of its primary advantages, but it also makes Group Policy somewhat complex.

The Group Policy client-side extension that manages registry settings to modify the behavior of the operating system is configured through .adm files, which contain information about registry keys, their available settings, and their location within the Group Policy namespace (the object hierarchy visible in the Group Policy editor). Two .adm files are especially important: Inetres.adm, which controls Internet Explorer registry settings, and System.adm, which controls Windows settings. Conf.adm, which controls NetMeeting configuration, is also included by default. Administrators can create their own .adm files to add functionality to a GPO. These files are stored within each GPO's \ADM folder in SYSVOL. In the case of Local GPOs, .adm files (and all other Group Policy files) are stored within the %SystemRoot%\system32\GroupPolicy folder.

Group Policy folders within a domain controller's SYSVOL directory are named using an automatically generated globally unique identifier(GUID). No two GUIDs are identical. Each GUID is unique among domain controllers anywhere in the world. Therefore, when two organizations and their Active Directories merge, their Group Policy folders won't conflict because they have different identifiers.

You can determine which folder corresponds to a specific Group Policy by looking at the Group Policy's Properties dialog box. The GUID for a specific policy is displayed, and it matches the name of the folder that contains the GPO in the SYSVOL share.

Logical Structure of GPOs

Every GPO has two components:

In a GPO's properties, it is good practice to limit the GPO to either Computer Configuration or User Configuration policies and disable the other policy type. This practice will enhance the organization of your Group Policies by separating User Configuration settings from Computer Configuration settings. It will also speed the application of Group Policy because, if a policy contains both sets of settings, it must be loaded twice, and for each load, half of the policy will not apply.

Splitting GPOs into those that apply to users and those that apply to computers, and disabling the portion that is not necessary, reduces the load time for GPOs.

Computer Configuration and User Configuration policies each have three major divisions:

Figure 1.3 shows the logical structure of a GPO within a management console.

Figure 1-3. The computer and user portions of a GPO

Managing Group Policy

You can manage Group Policy by navigating through Active Directory using either the Active Directory Users And Computers management console or the Active Directory Sites And Services management console. Once you have navigated to the specific Active Directory object to which a Group Policy will apply, you can open the object's Properties dialog box and manage the GPOs that are linked to that object.

Creating GPOs

You can create GPOs on the Group Policy tab of an Active Directory object's Properties dialog box. Click the New button to create a new GPO in the domain controller's SYSVOL, assign it a GUID, and populate it with default administrative templates. You can then click Edit to modify the default Group Policy for the purpose you intend.

Linking GPOs to Active Directory Objects

Each GPO is automatically linked to the Active Directory object from which you created it. If you want to link the same GPO to a different Active Directory object, manually create a link by clicking the Add button on the Group Policy tab in the Properties dialog box for the target Active Directory object, and then, in the Add A Group Policy Object Link dialog box, selecting the appropriate GPO from the list. You can link a single GPO to any number of Active Directory objects.

GPO Settings

There are numerous specific settings you can use to control how a GPO is applied to an Active Directory object. These settings do not modify the GPO itself; they modify the link between the GPO and the Active Directory object to which it applies.

In the Properties dialog box for an Active Directory object, you can change the order in which GPOs are applied to the object by modifying their order in the Group Policy list. GPOs listed lowest are applied first followed by GPOs higher in the list. The GPOs at the bottom of the list have the least effect because they are overridden by the settings in GPOs listed above them. It's important to remember that GPOs at the top of the list have the highest priority and effectiveness. To change the order in which GPOs are applied, select a specific GPO and then use the Up and Down buttons to move it to the position you want.

If you have extremely important Group Policy settings that must be effective no matter where they occur in the Group Policy Application order, you can flag the GPO to allow no overrides from subsequently applied GPOs. This feature is extremely useful for enforcing security within a single GPO. By containing security-related Group Policy settings within a single GPO and setting that GPO to disable policy override, you need not worry about the application order of GPOs or about other GPOs that might apply to a specific Active Directory object. To prevent subsequent GPOs from overriding a GPO, click the Options button on the Group Policy tab of the Active Directory object's Properties dialog box, and select the No Override check box.

To test the effects of a specific policy or to temporarily disable a restriction, you can disable the application of a GPO that is linked to an Active Directory object. To do so, click the Options button on the Group Policy tab of the Active Directory object's Properties dialog box and select the Disabled check box.

By default, GPOs contain both a Computer Configuration portion and a User Configuration portion. To optimize speed and minimize network traffic, you should separate your GPOs into those that affect computer configuration and those that affect user configuration. You can disable the unnecessary portion (either the Computer or the User Configuration settings) of a GPO by clicking the Properties button on the Group Policy tab and selecting the Disable Computer Configuration Settings check box or the Disable User Configuration Settings check box.

Delegating Group Policy Management

In large organizations, administrative control is delegated on a per-domain or per-OU basis. Domains and OUs require somewhat different security and administrative settings. Some security settings are mandated for the entire organization or large parts of it, while other settings might be appropriate only for specific child domains or OUs.

When administrative control is delegated for portions of Active Directory, you must restrict administrators from modifying GPOs that are outside of their authority. Because an administrator must have both Read and Write access to modify a GPO, you can restrict access by changing permissions to remove Write access for GPOs outside an administrator's authority.

Filtering Group Policy Application

Users are normally assigned to a single OU. User policies are also assigned on a per-OU basis. However, some users within the OU, such as power users or subordinate administrators, might require different security settings.

To separate users within an OU so that different GPOs are applied to them, you can either create subordinate OUs, applying the various GPOs to those subordinate OUs rather than to the parent OU, or you can filter the application of a Group Policy setting by using permissions.

A GPO can be applied to a user only if the user has Read and Apply Group Policy permissions to the object. By default, Authenticated Users inherit these rights for all GPOs, so this is not normally an issue.

You can prevent the application of a GPO to a user or group of users by creating a specific Deny Access Control Entry in the Group Policy Object's access control list (ACL). ACLs are used to determine which users can access a specific secured resource such as a file or folder. ACLs are explained in detail in Chapter 4, "Account-Based Security."

Because users must have Read access to a GPO to apply it, it is possible for a hacker to open a GPO for exclusive read and prevent other user accounts from applying the GPO. Use the auditing features of Windows 2000 described in Chapter 4 to be alerted to this type of activity.

While Group Policy filtering is effective, it is best practice to create additional subordinate OUs and control the assignment of GPOs through links to those additional Active Directory objects. Filters are not obvious in the Active Directory Users And Computers management console, so it can be very difficult to tell when they are in effect. Administrators who rely on filtering frequently have problems troubleshooting the application of Group Policy because there's no way to survey the entire scope of application when filters are in use.

Use Group Policy filtering only in those rare cases when you cannot apply Group Policy the way you want using additional Active Directory container objects and linking, such as when the GPO is far up the Active Directory hierarchy and you do not have administrative rights to move the GPO to a more appropriate location.

Practice: Managing Group Policy

In this practice, you create and manage GPOs. You specify GPO linking and settings that apply to those links, and you practice unlinking and deleting GPOs. Finally, you create a management console from which you can directly manage GPOs irrespective of their position within Active Directory.

Exercise 1: Creating GPOs

Creating a GPO is simple. Open the Active Directory Users And Computers management console to create a GPO that is linked to a domain or an OU, or open the Sites And Services management console to create a GPO that is linked to a site.

These exercises continue the Fabrikam scenario from Lesson 1.

To create a GPO

  1. Log on to the domain controller as the administrator.

  2. Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers.

  3. In the Active Directory Users And Computers tree in the Active Directory Users And Computers management console, right-click domain.fabrikam.com, and choose Properties.

  4. In the domain.fabrikam.com Properties dialog box, select the Group Policy tab.

    The Group Policy tab appears, as shown in Figure 1.4.

    Figure 1-4. The Group Policy Object Links in the Properties dialog box for the domain

  5. Click New.

  6. Type Domain Security Group Policy as the name of the GPO. The object has now been created.

  7. Click New.

  8. Type Domain Standard Desktop as the name of the GPO. Two GPOs have now been created.

    Why would you want to create a separate GPO to manage settings at the same Active Directory level as an existing GPO, rather than simply modifying the existing object?

  9. Click Close.

Exercise 2: Specifying GPO Settings

You specify settings for GPOs the same way you create GPOs, from the Active Directory object's Group Policy tab in its Properties dialog box.

To specify settings for a GPO

Perform this exercise while logged on to the domain controller as the Administrator.

  1. In the Active Directory Users And Computers tree, right-click domain.fabrikam.com, and choose Properties.

  2. On the Group Policy tab of the domain.fabrikam.com Properties dialog box, select Domain Security Group Policy in the list of GPOs.

  3. Click the Up button to make the Domain Security GPO higher in the list than the Default Domain Policy.

  4. Click Options to open the Domain Security Policy Options dialog box, as shown in Figure 1.5.

    Figure 1-5. The Domain Security Policy Options dialog box

  5. Select the No Override check box to prevent subsequent GPOs from overriding the policy settings of the Domain Security GPO, and click OK. This prevents any subsequently applied GPO from overriding your security-related Group Policy settings.

  6. Select the Default Domain Policy GPO, and then click the Down button to move the Default Domain Policy below the Domain Standard Desktop GPO.

  7. Click Options to open the Domain Security Policy Options dialog box (Figure 1.5).

  8. Select the Disabled check box to prevent the Default Domain Policy GPO from being applied to this Active Directory container.

  9. In the Confirm Disable message box, click Yes to confirm, and then click OK.

  10. Click the Domain Standard Desktop GPO in the list of GPOs, and click Properties. The Domain Standard Desktop Properties dialog box appears, as shown in Figure 1.6.

    Figure 1-6. The GPO Properties for the Domain Standard Desktop Group Policy

  11. Select the Disable Computer Configuration Settings check box because this GPO contains only user settings. Click Yes to confirm, and then click OK.

  12. Click Close to close the domain.fabrikam.com Properties dialog box.

Exercise 3: Controlling Administrative Access to GPOs

You can use permissions to control administrative access to Group Policy and delegate administration to subordinate administrators in a large domain. In this exercise, you will remove the permissions of those who are members of the Enterprise Admins group but not members of the Domain Admins group. This will prevent Enterprise Admins from modifying the Domain Security GPO.

To restrict administrative access to a GPO

Perform this procedure while logged on to the domain controller as Administrator and running the Active Directory Users And Computers management console.

  1. In the Active Directory Users And Computers tree, right-click domain.fabrikam.com and choose Properties.

  2. In the domain.fabrikam.com Properties dialog box, click the Group Policy tab.

  3. Select the Domain Security Group Policy in the GPO Links list, and click Properties.

  4. In the Domain Security Policy Properties dialog box, click the Security tab. The Security tab for the GPO appears, as shown in Figure 1.7.

    Figure 1-7. You can set permissions to access every GPO uniquely

  5. In the list of names, select the Enterprise Admins group.

  6. In the Allow column, clear the Write, Create All Child Objects, and Delete All Child Objects permissions.

  7. Click OK, and click Close.

Exercise 4: Filtering GPO Application

Sometimes you'll need to prevent the application of Group Policy to users within an OU or domain. You can use permissions to easily accomplish this Group Policy filtering. In this exercise, you will filter the application of the Domain Standard Desktop GPO so that it will not apply to members of the Domain Admins group irrespective of their participation within any OU.

To prevent a GPO from being applied to members of a security group

Perform this procedure while logged on to the domain controller as Administrator and running the Active Directory Users And Computers management console.

  1. In the Active Directory Users And Computers tree, right-click domain.fabrikam.com, and choose Properties.

  2. On the Group Policy tab of the domain.fabrikam.com Properties dialog box, select the Domain Standard Desktop GPO in the GPO list.

  3. Click the Properties button.

  4. On the Security tab of the Domain Standard Desktop Properties dialog box, select the Domain Admins group.

  5. In the Permissions list, select the Apply Group Policy check box in the Deny column, and click OK.

    While you would normally also disallow read access, it is not necessary in cases where you only want to filter the application of rather than prevent access to a GPO.

  6. A Security message box informs you that unintended consequences might occur due to group membership and asks if you want to continue.

  7. Click Yes in the Security message box, and click OK.

Exercise 5: Linking an Active Directory Object to a GPO

In large organizations, it makes sense to create standard GPOs and apply them to numerous sites, domains, and OUs. You can use Group Policy linking to accomplish this. In this exercise, you link the Domain Standard Desktop GPO to three specific OUs within the domain.fabrikam.com organization.

To link an Active Directory object to a GPO

Perform this procedure while logged on to the domain controller as an Administrator.

  1. Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers.

  2. In the Active Directory Users And Computers tree in management console, expand domain.fabrikam.com and Departments to show the Design department.

  3. Select Design, and click Properties on the toolbar.

  4. In the Design Properties dialog box, select the Group Policy tab. The Group Policy tab contains no entries in the Group Policy Object Links list.

  5. Click Add. The Add A Group Policy Object Link dialog box appears, as shown in Figure 1.8.

    Figure 1-8. The Add A Group Policy Object Link dialog box

  6. Click Folder Up twice to browse from the current OU to the domain OU where the Domain Standard Desktop GPO is stored.

  7. Double-click the Domain Standard Desktop in the GPO list. This Group Policy Object is now linked to the Design OU.

  8. Click OK.

  9. Repeat steps 3 through 8 for the Human Resources and Marketing OUs.

Exercise 6: Removing a GPO Link

When you no longer need a GPO to be linked to a specific Active Directory object, you can remove the link between them. In this exercise, you remove the link between the domain.fabrikam.com Active Directory container and the Domain Standard Desktop GPO. After you accomplish this, the Domain Standard Desktop Group Policy will apply only to the OUs that you specified in Exercise 5.

To remove a GPO link from an Active Directory object

Perform this procedure while logged on to the domain controller as an Administrator and running the Active Directory Users And Computers management console.

  1. In the Active Directory Users And Computers tree, right-click the domain.fabrikam.com domain, and choose Properties.

  2. In the domain.fabrikam.com Properties dialog box, select the Group Policy tab.

  3. Select the Domain Standard Desktop GPO in the GPO list, and click Delete.

    The Delete Selection dialog box asks if you want to remove only the link or if you also want to delete the GPO.

  4. In the Delete Selection dialog box, select Remove The Link From The List.

  5. Click OK. The GPO is removed from the list.

  6. Click Close.

Exercise 7: Deleting a GPO

When a GPO is no longer necessary, you can delete it. GPOs can become obsolete because of changes in corporate policy or because you've compiled a condensed set of GPOs from a large set of early, smaller GPOs and you no longer need the original GPOs. In this example, you will delete the Domain Standard Desktop Group Policy because a single desktop standard will not be effective for this organization.

To delete a GPO

Perform this procedure while logged on to the domain controller as Administrator while running the Active Directory Users And Computers management console.

  1. In the Active Directory Users And Computers tree, expand domain.fabrikam.com and Departments to reveal the Design OU.

  2. Right-click the Design OU, and choose Properties.

  3. In the Design Properties dialog box, select the Group Policy tab.

  4. Select Domain Standard Desktop in the GPO list, and click Delete.

  5. In the Delete Selection dialog box, select Remove The Link And Delete The Group Policy Object Permanently.

  6. Click OK, and click Yes to confirm.

  7. Click Close.

  8. Right-click the Marketing OU, and choose Properties.

  9. In the Marketing Properties dialog box, select the Group Policy tab.

    Notice that the Domain Standard Desktop GPO that was linked to this OU no longer appears in the OU list because it has been deleted.

  10. Click Close, and then close the Active Directory Users And Computers management console.

Exercise 8: Creating a Group Policy Management Console

In large organizations in which GPOs are frequently linked to numerous Active Directory objects, it is more convenient to manage GPOs separately from the Active Directory objects to which they are linked.

You can use the Group Policy snap-in and the Microsoft Management Console (MMC) to create a management console that allows you to manage all of your GPOs in one place. Or you can create numerous management consoles that allow various administrators to manage the GPOs that apply to their domains or OUs.

To create a convenient Group Policy management console

Perform this procedure while logged on to the domain controller as Administrator.

  1. Click Start, click Run, type mmc, and press Enter to open an empty management console.

  2. From the Console menu, choose Add/Remove Snap-In.

  3. In the Add/Remove Snap-ins dialog box, click Add.

    The Add Standalone Snap-in dialog box appears, as shown in Figure 1.9. In this dialog box, you can create custom management consoles containing all of your custom created GPOs.

    Figure 1-9. The Add Standalone Snap-in dialog box

  4. Double-click the Group Policy Snap-in to open the Select Group Policy Object Wizard.

  5. In the Select Group Policy Object dialog box, click Browse.

  6. In the Browse For A Group Policy Object dialog box, select Domain Security Group Policy in the list, and click OK. The Select Group Policy Object Wizard should now match Figure 1.10.

    Figure 1-10. The Select Group Policy Object Wizard

  7. Click Finish.

  8. Repeat steps 3 through 7 for the Domain Default Policy.

  9. Click Close, and then click OK.

  10. Click Save on the toolbar.

  11. Type Group Policies as the name of this Group Policy Console, and click Save.

  12. Close the management console.

    A Group Policies.mmc console now appears in the Administrative Tools folder in the Start menu. In this console you can directly modify Group Policy settings.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

  1. From what management tool can you create GPOs?

  2. When you create a GPO, what is automatically created along with it?

  3. What is the default application order for GPOs?

  4. Group Policy is implemented by distinct components called what?

Lesson Summary

Категории