Using Group Policy to Administer Rights and Permissions

Using Group Policy to Administer Rights and Permissions

To manage user rights and permissions on a larger scale than simply at the server or workstation level, administrators of Windows Server 2003 Active Directory networks can leverage group policies. Group policies enable directory-based change and configuration management of users and computers. This section focuses on the particular functionality of group policy for access management. For a more comprehensive approach to group policies turn to Chapter 6, "Implementing Group Policies."

Assigning Rights with Group Policy

Previous sections demonstrated using the Local Policy Editor to manage user rights and privileges; you can assign these same user rights and privileges through the Group Policy Editor. The benefit of using group policies to assign user rights is that a larger scope of users or computers can be managed from a single configuration.

Assigning user rights with the Group Policy Editor is nearly identical to assigning rights with the Local Policy Editor. The exception is the process by which Group Policy Objects (GPOs) are linked to Active Directory container objects.

When you edit the local policy on a workstation or server to assign a particular user privilege, for example to grant the capability to perform backups and restores on a computer, then after the local policy is edited, the configuration is complete. When you make the same configuration at the domain level by creating or modifying a GPO, to enable the configuration, the administrator must also link that GPO to an Active Directory container, for example a particular Organizational Unit (OU). After the GPO is linked to an OU, the policy will apply to all computers contained in that OU. The process of linking a GPO to an AD container can be done in different ways. One way is to modify the properties of the target OU, and create or edit the GPO from that context.

To demonstrate this process in detail, the following example details the steps necessary to grant the capability to back up and restore files on all computers contained in the Sales OU to users contained in the local Power Users group of those computers.

1. In Active Directory Users and Computers, right-click on the Sales OU.

2. Choose Properties, and then click the Group Policy tab.

3. Click New, type a name for the GPO, and then click Close.

4. Click Edit to open the Group Policy Editor.

5. Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\ User Rights Assignment.

6. Double-click Backup Files and Directories.

7. Check Define These Policy Settings as shown in Figure 5.5, and click Add User or Group.

   Figure 5.5. Defining policy settings for user rights.

   

8. Type in Power Users , and click OK to complete the configuration.

Assigning user rights through group policies has the added security benefit of preventing changes to the configured settings at the local level. When there are conflicting settings between the local policy and a linked group policy, the group policy settings will override the local settings. Additionally, the local policy cannot be modified, even by a local administrator, if a group policy is in force.

Granting Access to Files with Group Policy

Managing permissions for files and folders through group policies is similar to the process of editing the Access Control Entries (ACEs) on NTFS file folders and shares. Again, group policies can be used to enforce domain or OU-level security standards across a larger scope of computers. In the case of files and folders, you have the capability to replace the local ACEs on computers contained within the scope of the targeted AD container with ACE settings made in a GPO.

In addition to enforcing a security standard on common folder permissions across a broad target of computers, GPO permission settings can also be used to solve access problems that were not evident when initial permission settings were deployed locally.

For example, the default local permissions set on the folder, C:\Program Files, limits users to read and execute permissions on this folder and its subfolders in a standard Windows XP workstation. If at a later time a new application is installed on several workstations that create subfolders to which users will need the write permission for proper execution, there will be an access problem that could potentially span hundreds of workstations. The process of changing the local ACE of each workstation would be extremely tedious and time consuming. On the other hand, you can change the ACE through a group policy and fix the problem with just a few keystrokes.

The following example modifies permissions on a particular subfolder, C:\Program Files\HRApp, for all user workstations in the Human Resources OU:

1. Create or modify the GPO linked to the Human Resources OU.

2. Navigate to Computer Configuration\Windows Settings\Security Settings\File System.

3. Right-click File System and choose Add File.

4. In the Add File or Folders screen, type C:\Program Files\HRApp , as shown in Figure 5.6, and click OK.

   Figure 5.6. Modifying User Permissions using Group Policy.

   

5. On the Database Security screen, highlight the Users group, and then check the Write permission and click OK.

6. In the Add Object dialog box, choose Replace Existing Permissions and click OK.

Granting Access to Registry Settings with Group Policy

In addition to being able to modify file and folder permissions, you have the capability to modify security settings in the Registry using group policies.

As is the case with file permissions, the functional application of setting Registry permissions with group policies are twofold: you can establish security standards across a greater scope of user permissions on workstations or servers; and you can apply fixes to computers already deployed to a vast population of users.

Just as some software requires file permission modifications to run correctly, it is not uncommon to find similar requirements for specific Registry keys. Such requirements, though, might not show up when initial testing and configuration of the software is performed. If an application is deployed to several hundred workstations only to find that a particular functionality does not work with the standard user Registry permissions, it is possible to fix the problem by targeting the workstations with a GPO that addresses the particular Registry security setting.

For example, a company might discover after deploying 400 new workstations that standard users cannot change their default JPEG viewer from Internet Explorer to Photo Editor in Windows XP (or vice versa). The workstations will require modified permissions to the following Registry key: HKLM\SOFTWARE\Microsoft\Shared Tools\Graphic Filters. To modify these permissions through group policy, perform the following steps:

1. Modify or create a new GPO attached to domain.

2. In Group Policy Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Registry.

3. Right-click Registry, and then choose Add key.

4. In the Select Registry Key dialog box, manually type the key MACHINE\SOFTWARE\Microsoft\Shared Tools\Graphic Filters , and click OK.

5. Highlight Users, and click Advanced.

6. Highlight Users again, and click Edit, as shown in Figure 5.7.

   Figure 5.7. Editing Registry Permissions with Group Policy.

   

7. Check Allow for Set Value, and then click OK three times.

8. Choose Replace Existing Permissions and click OK.

Managing Groups with Group Policy

Because the most efficient way to manage access control to resources is by leveraging groups of various types, it is important to provide a means to manage group memberships across a wide scope of computer objects. To this end, group policies can be defined that limit or set the membership of groups across computer objects contained in the targeted AD container.

For example, you might want to limit the membership of the local Power Users group to the Engineering global group for computers contained in the Engineering OU of the domain. By enforcing such a policy, the local Power Users group cannot be modified at the local level to include any other members besides the Engineering global group.

To establish this restriction, perform the following steps:

1. Edit or create a GPO attached to the Engineering OU.

2. In the Group Policy Editor, navigate to the Computer Configuration\Windows Settings\Security Settings\Restricted Groups.

3. Right-click on Restricted Groups and choose Add Group.

4. Type Power Users in the dialog box.

5. Click the Add button for Members of this Group.

6. In the Add dialog box, type Engineering and click OK.