Managing Users with Local Security and Group Policies

Windows Server 2003 systems provide local security policies to manage user and group administrative access on a per-server basis. Within Active Directory, you can use group policies to set configurations and security on a specified collection of computers, users, or groups of users from a single policy. These policies can be used to deliver standard desktop configurations and security settings for server access and application functionality. Also, policies can set user configurations to deliver software on demand, redirect desktop folders, plus affect many more settings. Many settings within each policy explain what the setting controls and whether computer-based settings apply to only Windows XP workstations. Chapter 15, "Security Policies and Tools," describes security policy in more depth, but the best way to discover and learn about all the Group Policy settings is to open an actual Group Policy Object and start browsing each section.

Viewing Policies with the Group Policy Object Editor

You can view Active Directorybased group policies or server and workstation local security policies with very little effort by using a single console. Using the Group Policy Object Editor MMC snap-in, you can read and configure both Group Policy Objects and local security policies.

To open an existing policy, follow these steps:

1.	Log on to a Windows Server 2003 system or an XP workstation with the Administration Pack installed.
2.	Choose Start, Run. Type `MMC.exe` and click OK.
3.	If you used a standard user account to log on, at the Run prompt, type `runas/user:administrator mmc.exe` and click OK to open the MMC with an elevated account. In this example, you use the Administrator account, but you can use any account with the rights to view or modify the respective policy.
4.	A command-prompt window then opens, prompting for the correct password if you used the `runas` command. Type in the password and press Enter.
5.	When the MMC opens, choose File, Add/Remove Snap-in.
6.	In the Add/Remove Snap-in window, click Add.
7.	In the Add Stand-alone Snap-in page, scroll down and select Group Policy Object Editor and then click Add.
8.	The Select Group Policy Wizard opens, asking which policy you want to open. The default is the local computer policy of the machine currently logged in. To choose a domain-based group policy or a local security policy on a different server workstation, click the Browse button.
9.	Select the correct tab to find the policy, as shown in Figure 19.8, and click OK. Figure 19.8. Selecting the desired policy to view or manage.

10.	Click Finish in the Select Group Policy Wizard, click Close in the Add Stand-alone Snap-in page, and click OK in the Add/Remove Snap-in window to return to the console and access the respective policy.

After you access the policy, you can view each setting or settings container to determine the default value and, in some cases, learn what the setting controls. Keep in mind that, with the correct level of permissions, any changes you make to this policy are live changes; there is no undo other than reversing the individual setting changes or performing a Primary restore of the SYSVOL folder on a domain controller that has already replicated the changes.

Creating New Group Policies

When changes need to be made or tested using group policies, the administrator should leave the production environment untouched and create test policies in isolated test lab environments. When test labs are not available or cannot replicate the production environment, the administrator can test policies in isolated organizational units within a domain. Also, if domain- or site-based policies need to be created for testing, security filtering could be modified to apply the policy only to a specific set of test users or groups.

The preceding section described how to locate a group policy. Using the Active Directory Users and Computers and Active Directory Site and Services snap-ins, you can create, configure, and open site, domain, and organizational unit (OU) group policies for editing. The following steps outline how to create a new domain-based policy and configure its security filtering to apply to a single user:

1.	Log on to a Windows Server 2003 system or an XP workstation with the Windows Server 2003 Administration Pack installed.
2.	Choose Start, Run. Type `MMC.exe` and click OK.
3.	If you used a standard user account to log on, at the Run prompt, type `runas/user:administrator mmc.exe` and click OK to open the MMC with an elevated account. In this example, you use the Administrator account, but you can use any account with the rights to view or modify the respective policy.
4.	A command-prompt window then opens, prompting for the correct password if you used the `runas` command. Type in the password and press Enter.
5.	When the MMC opens, choose File, Add/Remove Snap-in.
6.	In the Add/Remove Snap-in window, click Add.
7.	In the Add Stand-alone Snap-in page, select Active Directory Users and Computers and click Add.
8.	Click Close in the Add Stand-alone Snap-in page and click OK in the Add/Remove Snap-in window to return to the console and access the snap-in.

9.	The snap-in defaults to the domain used for the login. To change the domain focus, right-click Active Directory Users and Computers in the left pane and select Connect to Domain.
10.	Type in the fully qualified name of the domain and click OK to return to the console. If necessary, click the Browse button to locate the domain.
11.	In the console, you should see the domain listed. Right-click the domain listing and select Properties.
12.	Select the Group Policy tab and then click the New button. A new policy then appears in the window.
13.	Type in a descriptive policy name and press Enter to create the policy.
14.	When the policy is listed, select it and click the Properties button.
15.	Select the Security tab and highlight the Authenticated Users entry.
16.	In the Permissions section, scroll down and uncheck the Allow box for Apply Group Policy.
17.	Select each entry in the Group Policy access control list and verify that no existing groups are allowed to apply the group policy.
18.	Click Add and type in the name of a user or group. To find a list of users and groups within the current domain, click the Advanced button, and in the search window, click Find Now to return the complete list. Scroll down and select the users or groups you want and click OK.
19.	Click OK to add the entries to the policy.
20.	Back in the security window, select the respective entry and check the Allow box for Apply Group Policy, as shown in Figure 19.9. Click OK when you're finished.
21.	Click Apply to update the Group Policy security; then select the General tab.
22.	On the bottom of the General tab, you can disable the Computer or User Settings section of Group Policy to improve policy application intervals. Leave both sections enabled if both user and computer settings will be used. Click OK to close the Group Policy properties.
23.	If you want to configure the group policy now, select the policy from the window and click the Edit button to open the Group Policy Object Editor with the focus on the new policy. Otherwise, click Close.

Configuring and Optimizing Group Policy

After a Group Policy Object is created, a few steps should be taken to configure how the policy will be applied and to optimize the time to apply the policy. Group policies can be limited to computer- or user-specific settings. To determine whether either type of setting can be disabled, the administrator should figure out which settings are necessary to provide the desired policy settings. In many cases, a policy uses settings for both types. To disable either user or computer policy settings, open the properties as described in the section "Viewing Policies with the Group Policy Object Editor" earlier in this chapter. When the policy is listed, right-click the policy and select Properties. On the General tab, check the appropriate boxes to disable computer or user settings and click OK to save the settings.

Figure 19.9. Modifying a group policy's application scope.

When multiple group policies exist, they are applied in a predefined order. For a particular user or computer, the order can be derived using the Resultant Set of Polices snap-in described in the "The Resultant Set of Policies MMC Snap-in" section. The results of standard policies are that if setting X is enabled on a top-level policy and disabled on the last policy to apply to an object, the resulting setting will disable setting X. Many policy settings have three states: enabled, disabled, and the default of not configured.

You can limit group policies to apply to specific users or computers by modifying the security entries. They can be limited to which types of settings will be disabled using the general properties of the policy, and policies can be blocked at the site, domain, or OU container level using a setting called Block Policy Inheritance. When company-wide, domain-wide, or site-wide settings need to be configured and imposed, the group policy can be configured to use No Override.

Block Policy Inheritance

The Block Policy Inheritance option allows an administrator to prevent higher-level policies from applying to users and computers within a certain site, domain, or OU. This capability can be useful to optimize Group Policy applications and to ensure that rights are grandfathered down to the Active Directory objects within the container.

To block policy inheritance, follow these steps:

1.	To block inheritance, open either the AD Users and Computers MMC snap-in for domain or OU objects or the AD Sites and Services MMC snap-in for site objects.
2.	Right-click the object you want to modify and select Properties.
3.	Select the Group Policy tab and check the Block Policy Inheritance box, as shown in Figure 19.10. Figure 19.10. Blocking policy inheritance for an OU.
4.	Click OK to update the container's Group Policy properties.

The No Override Options

Configuring the No Override option prevents lower-level policies from blocking policy inheritance and from changing the parameters or configured settings in a policy. This option should be used only if policy needs to be enforced on AD objects in every container and subcontainer with a link or inheritance to this policy object.

To configure the No Override option for the default domain policy, follow these steps:

1.	Open the AD Users and Computers MMC snap-in for the desired domain.
2.	Right-click the domain listing and select Properties.
3.	Select the Group Policy tab, select the default domain, and click the Options button.
4.	Check the No Override box and click OK in the Policy Options property page.
5.	Click OK to close the Domain property page to complete the process.

Troubleshooting Group Policy Applications

When policies are used throughout an organization, sometimes the policy settings do not apply to a user or computer as originally intended. To begin basic troubleshooting of Group Policy application issues, you need to understand the policy application hierarchy. First, the local server or workstation policy applies to the user or computer, followed by site group policies, domain group policies, and finally the organizational unit group policies. If nested OUs have group policies, the parent OU policies are processed first, followed by the child OUs, and finally the OU containing the Active Directory object (user or computer). You might find it easier to remember "LSD-OU"the acronym for local, site, domain, and then OU.

Now that you know the order in which policies are applied, you can proceed to use the Group Policy testing and troubleshooting tools provided with Windows Server 2003namely the Resultant Set of Policies MMC snap-in and the command-line utility GPResult.exe, which is the command-line version of the RSOP snap-in.

The Resultant Set of Policies MMC Snap-in

The RSOP snap-in can be used to show the effective policy settings for a user who logs on to a server or workstation after all the respective policies have been applied. This tool is good for identifying which policies are being applied and what the effective setting is.

To test the policies for a user, use the RSOP snap-in as follows:

1.	Log on to the server or workstation where the user has already logged on.
2.	Choose Start, Run. Then type MMC.exe and click OK.
3.	Choose File, Add/Remove Snap-in.
4.	Click Add in the Add/Remove Snap-in window.
5.	Select Resultant Set of Policy from the Add Stand-alone Snap-in page and click Add. Click Close and then OK in the Add/Remove Snap-in window.
6.	In the console window, right-click Resultant Set of Policy and select Generate RSOP Data.

7.	Click Next on the Welcome screen.
8.	Choose Logging Mode on the Mode Selection page and click Next.
9.	On the Computer Selection page, select This Computer and click Next.
10.	On the User Selection page, select the Display Policy Settings For radio button and then select the Select a Specific User option, as shown in Figure 19.11. Figure 19.11. Selecting the specific user for whom you want to gather Group Policy data.
11.	On the Summary of Selections page, verify that all the correct selections were chosen and click Next to gather the data.
12.	When the snap-in has finished collecting data, click Finish to return to the console and review it.

Within the console, you can review each particular setting to see whether a setting was applied or the desired setting was overwritten by a higher-level policy. To figure out which actual policies have been applied, right-click either the Computer Configuration or User Configuration container and then select Properties to see the list of policies applied for the specified user.