Group Policy Management


Group Policy Management

Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. Through group policies you can

  • Create centrally managed directories for special folders, such as My Documents. This is covered in the section of this chapter entitled " Centrally Managing Special Folders."

  • Control access to Windows components , system resources, network resources, Control Panel utilities, the desktop, and the Start menu. This is covered in the section of this chapter entitled "Using Administrative Templates to Set Policies."

  • Define user and computer scripts to run at specified times. This is covered in the section of this chapter entitled " User and Computer Script Management."

  • Configure policies for account lockout and passwords, auditing, user rights assignment, and security. This is covered in Part II of this book, "Microsoft Windows Server 2003 Directory Service Administration."

The sections that follow explain how you can work with group policies. The focus is on understanding and applying group policies.

Understanding Group Policies

You can think of a group policy as a set of rules that helps you manage users and computers. You can apply group policies to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory directory service.

To understand group policies, you need to know a bit about the structure of Active Directory. In Active Directory, logical groupings of domains are called sites and subgroups within a domain are called organizational units . Thus, your network could have sites called NewYorkMain, CaliforniaMain, and WashingtonMain. Within the WashingtonMain site, you could have domains called SeattleEast, SeattleWest, SeattleNorth, and SeattleSouth. Within the SeattleEast domain, you could have organizational units called Information Services (IS), Engineering, and Sales.

Group policies apply only to systems running Windows 2000, Windows XP Professional, and Windows Server 2003. You set policies for Windows NT 4.0 systems with the System Policy Editor (Poledit.exe). For Windows 95 and Windows 98, you need to use the System Policy Editor provided with Windows 95 or Windows 98, respectively, and then copy the policy file to the Sysvol share on a domain controller.

Group Policy settings are stored in a Group Policy Object (GPO). One way to think of a GPO is as a container for the policies you apply and their settings. You can apply multiple GPOs to a single site, domain, or organizational unit. Because policy is described using objects, many object-oriented concepts apply. If you know a bit about object-oriented programming, you might expect the concepts of parent-child relationships and inheritance to apply to GPOs ”and you'd be right.

Through inheritance, a policy applied to a parent container is inherited by a child container. Essentially , this means that a policy setting applied to a parent object is passed down to a child object. For example, if you apply a policy setting in a domain, the setting is inherited by organizational units within the domain. In this case, the GPO for the domain is the parent object and the GPOs for the organizational units are the child objects.

The order of inheritance is as follows :

Site --> Domain --> Organizational Unit

This means that the group policy settings for a site are passed down to the domains within that site and the settings for a domain are passed down to the organizational units within that domain.

As you might expect, you can override inheritance. To do this, you specifically assign a policy setting for a child container that contradicts the policy setting for the parent. As long as overriding of the policy is allowed (that is, overriding isn't blocked), the child's policy setting will be applied appropriately. To learn more about overriding and blocking GPOs, see the section of this chapter entitled "Blocking, Overriding, and Disabling Policies."

In What Order Are Multiple Policies Applied?

When multiple policies are in place, policies are applied in the following order:

  1. Windows NT 4.0 policies (Ntconfig.pol)

  2. Local group policies

  3. Site group policies

  4. Domain group policies

  5. Organizational unit group policies

  6. Child organizational unit group policies

If there are conflicts among the policy settings, the policy settings applied later have precedence and overwrite previously set policy settings. For example, organizational unit policies have precedence over domain group policies. As you might expect, there are exceptions to the precedence rule. These exceptions are discussed later in the section of this chapter entitled "Blocking, Overriding, and Disabling Policies."

When Are Group Policies Applied?

As you'll discover when you start working with group policies, policy settings are divided into two broad categories:

  • Those that apply to computers

  • Those that apply to users

Although computer policies are normally applied during system startup, user policies are normally applied during logon. The exact sequence of events is often important in troubleshooting system behavior. The events that take place during startup and logon are as follows:

  1. The network starts and then Windows Server 2003 applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed .

  2. Windows Server 2003 runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next one starts. Script execution isn't displayed to the user unless specified.

  3. A user presses Ctrl+Alt+Del to log on. After the user is validated , Windows Server 2003 loads the user profile.

  4. Windows Server 2003 applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.

  5. Windows Server 2003 runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn't displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window as in Windows NT 4.0.

  6. Windows Server 2003 displays the start shell interface configured in Group Policy.

By default, Group Policy is refreshed only when a user logs off or a computer is restarted. You can change this behavior by setting a Group Policy refresh interval as discussed in the section of this chapter entitled "Refreshing Group Policy." To do this, open a command prompt and type gpupdate .

Real World

Some user settings, such as Folder Redirection, can't be updated when a user is logged on. The user must log off and then log back on for these settings to be applied. You can type gpupdate / logoff at the command line to log the user off automatically after the refresh. Similarly, some computer settings can be updated only at startup. The computer must be restarted for these settings to be applied. You can enter gpupdate /boot at the command line to restart the computer after the refresh.

Group Policy Requirements and Version Compatibility

Group policies were introduced with Windows 2000 and apply only to systems running Windows 2000, Windows XP Professional, and Windows Server 2003. As you might expect, each new version of the Windows operating system has brought with it changes to Group Policy. Sometimes these changes have made older policies obsolete on newer versions of Windows. In this case, the policy only works on a specific version of the Windows operating system, such as only on Windows 2000.

Generally speaking, however, most policies are forward compatible. This means that policies introduced in Windows 2000 can, in most cases, be used on Windows 2000, Windows XP Professional, and Windows Server 2003. It also means that in most cases Windows XP Professional policies aren't applicable to Windows 2000, and that policies introduced in Windows Server 2003 aren't applicable to Windows 2000 or Windows XP Professional.

If a policy isn't applicable to a particular version of the Windows operating system, you can't enforce the policy on computers running those versions of the Windows operating system.

How will you know if a policy is supported on a particular version of Windows? Easy. The properties dialog box for each policy has a Supported On field in the Setting tab. This text-only field lists the policy's compatibility with various versions of the Windows operating system. If you select the policy with the Extended display in the Group Policy Object Editor, you'll also see a Requirements entry that lists compatibility.

You can also install new policies when you add a service pack, install Windows applications, or add Windows components. This means that you'll see a wide range of compatibility entries.

Managing Local Group Policies

Each computer running Windows Server 2003 has one local group policy. You manage local policies on a computer by completing the following steps:

  1. Open the Run dialog box by clicking Start and then clicking Run.

  2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).

  3. In MMC, click File, and then click Add/Remove Snap-In. This opens the Add/ Remove Snap-In dialog box.

  4. In the Standalone tab, click Add.

  5. In the Add Standalone Snap-In dialog box, click Group Policy Object Editor, and then click Add. This starts the Group Policy Wizard.

  6. Under Group Policy Object, Local Computer should be selected by default. If you want to edit the local policy on your computer, simply click Finish. To find the local policy on another computer, click Browse. After you find the policy you want to work with, click OK and then click Finish.

  7. Click Close and then click OK. You can now manage the local policy on the selected computer. For details, see the section of this chapter entitled "Working with Group Policies."

Local group policies are stored in the %SystemRoot%\System32\GroupPolicy folder on each Windows Server 2003 computer. In this folder you'll find the following subfolders :

  • Adm

    Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine

    Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User

    Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

    Caution

    You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console. By default, these files and folders are hidden. If you want to view hidden files and folders in Windows Explorer, select Folder Options from the Tools menu, click the View tab, choose Show Hidden Files And Folders, clear Hide Protected Operating System Files, and then click OK.


Managing Site, Domain, and Unit Policies

Each site, domain, and organizational unit can have one or more group policies. Group policies listed higher in the Group Policy list have a higher precedence than policies listed lower in the list. As stated earlier, group policies set at this level are associated with Active Directory. This ensures that site policies get applied appropriately throughout the related domains and organizational units.

Creating and Editing Site, Domain, and Organizational Unit Policies

You create and edit site, domain, and organizational unit policies by completing the following steps:

  1. For sites, you start the Group Policy snap-in from the Active Directory Sites And Services console. Open the Active Directory Sites And Services console.

  2. For domains and organizational units, you start the Group Policy snap-in from the Active Directory Users And Computers console. Open the Active Directory Users And Computers console.

  3. In the appropriate console root, right-click the site, domain, or organizational unit on which you want to create or manage a group policy. Then select Properties on the shortcut menu. This opens a properties dialog box.

  4. In the properties dialog box, select the Group Policy tab. As Figure 4-1 shows, existing policies are listed in the Group Policy Object Links list.

    Figure 4-1. Use the Group Policy tab to create and edit policies.

    graphics/f04ap01.jpg

  5. To create a new policy, click New. You can now configure the policy as explained in the section of this chapter entitled "Working with Group Policies."

  6. To edit an existing policy, select the policy and then click Edit. You can now edit the policy as explained in the section of this chapter entitled "Working with Group Policies."

  7. To change the priority of a policy, select the policy that you want to work with and then use the Up or Down button to change its position in the Group Policy Object Links list.

Site, domain, and organizational unit group policies are stored in the %SystemRoot%\ Sysvol\Domain\Policies folder on domain controllers. In this folder you'll find one subfolder for each policy you've defined on the domain controller. The policy folder names are the policy's Global Unique Identifier (GUID). The GUIDs can be found on the policy's properties page in the General tab in the summary frame. Within these individual policy folders, you'll find the following subfolders:

  • Adm

    Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine

    Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User

    Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

    Caution

    You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.


Blocking, Overriding, and Disabling Policies

You can block policy inheritance at the site, domain, and organizational unit level. This means that you could block policies that would otherwise be applied. At the site and domain level, you can also enforce policies that would otherwise be contradicted or blocked. This gives top-level administrators the ability to enforce policies and prevent them from being blocked. Another available option is to disable policies. You can disable a policy partially or entirely without deleting its definition.

You configure these policy options by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1 “4 of the "Creating and Editing Site, Domain, and Organizational Unit Policies" section earlier in this chapter.

  2. Select Block Policy Inheritance to prevent the inheritance of higher-level policies (unless those policies have the No Override option set).

  3. Use the No Override option to prevent lower-level policies from blocking the policy settings. Select or clear the No Override option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.

  4. Use the Disabled option to prevent the policy from being used. Select or clear the Disabled option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.

Disabling an Unused Part of Group Policy

Another way to disable a policy is to disable an unused part of the GPO. When you do this, you block the Computer Configuration or User Configuration settings, or both, and don't allow them to be applied. By disabling part of a policy that isn't used, the application of GPOs and security will be faster.

You can enable or disable configuration settings in Group Policy by following these steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1 “4 of the "Creating and Editing Site, Domain, and Organizational Unit Policies" section earlier in this chapter.

  2. Click Properties in the Global Policy tab, and then select or clear Disable Computer Configuration Settings and Disable User Configuration Settings.

    Caution

    Any settings of the blocked node aren't applied and are essentially lost. To get these settings back, you'll have to clear the Disable Settings options.


Applying an Existing Policy to a New Location

Any group policy that you've created can be associated with another computer, unit, domain, or site. By associating the policy with another object, you can use the policy settings without having to recreate them.

You apply an existing policy to a new location by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with.

  2. In the Group Policy tab, click Add. As shown in Figure 4-2, this opens the Add A Group Policy Object Link dialog box.

  3. Use the tabs and fields provided to find the group policy you want to apply to the current location. When you find the policy, click OK.

    Figure 4-2. Use the Add A Group Policy Object Link dialog box to link existing policies to new locations without having to recreate the policy definition.

    graphics/f04ap02.jpg

  4. Active Directory creates a link between the GPO and the site, domain, or unit container you're working with. Now when you edit the policy in any location, you edit the master copy of the object and the changes are reflected globally.

Deleting a Group Policy

You can disable or delete group policies that you don't use. To disable a policy, double-click in the Disabled column to the right of the group policy entry. A check mark indicates that the option is selected. To delete a policy, follow these steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1 “4 of the section of this chapter entitled "Creating and Editing Site, Domain, and Organizational Unit Policies."

  2. Select the policy you want to delete and then click Delete.

  3. If the policy is linked, you have the option of deleting the link without affecting other containers that use the policy. To do this, in the Delete dialog box select Remove The Link From The List.

  4. If the policy is linked, you can also delete the link and the related policy object, which permanently deletes the policy. To do this, select Remove The Link And Delete The Group Policy Object Permanently.

Refreshing Group Policy

When you make changes to Group Policy, those changes are immediate. However, they aren't propagated automatically. Client computers request policy when

  • The computer starts

  • A user logs on

  • An application or user requests a refresh

  • A refresh interval is set for Group Policy and the interval has elapsed

As you learned previously in this chapter, you can request that a policy be refreshed on a local computer using the Gpupdate command-line utility. Simply type gpupdate at the command prompt. You can also refresh a policy by setting a specific refresh interval, which thereby periodically forces a refresh. Either way, however, the refresh is only a background refresh and some policies might not be updated. The only way to ensure that all user policies are updated is to have the user log off. The only way to ensure that all computer policies are updated is to restart the computer.

To set a refresh interval in Group Policy, follow these steps:

  1. Access the Group Policy console for the site, domain, or organizational unit you want to work with as specified in the section of this chapter entitled "Creating and Editing Site, Domain, and Organizational Unit Policies."

  2. Access the Group Policy node by expanding Computer Configuration\ Administrative Templates\System\Group Policy.

  3. In the details pane, double-click Group Policy Refresh Interval For Computers. This policy controls the background refresh rate for computer policies.

  4. In the Setting tab, Select Enabled. You can now set the refresh interval for computer policies using the options provided. With the default settings, Group Policy is updated every 90 minutes with a random offset of 0 to 30 minutes. The offset makes it less likely that multiple computers will request updates at the same time. Click OK.

  5. Access User Configuration\Administrative Templates\System\Group Policy.

  6. In the details pane, double-click Group Policy Refresh Interval For Users. This policy controls the background refresh rate for computer policies.

  7. In the Setting tab, select Enabled. You can now set the refresh interval for user policies using the options provided. Click OK when finished.

  8. When applying a refresh, network traffic is generated. During the update, the local computer might be less responsive than normal, which might affect the user's work.

    Note

    The refresh interval for computers doesn't apply to domain controllers. If you want domain controllers to regularly refresh a policy, access Computer Configuration\Administrative Templates\System\Group Policy and then double-click Group Policy Refresh Interval For Domain Controllers. You can now set the refresh interval.


Real World

You want to ensure that updates don't occur too frequently yet are timely enough to meet expectations or requirements. The more often a policy is refreshed, the more traffic that's generated over the network. In a large installation, you typically want to set a longer refresh rate than the default to reduce network traffic, particularly if the policy affects hundreds of users or computers. In any installation where users complain about their computers getting sluggish periodically, you might want to increase the policy refresh interval as well. Consider that a once a day or once a week update might be all that it takes to keep policies current enough to meet your organization's needs.



Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant
ISBN: 735622450
EAN: N/A
Year: 2003
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net