Understanding Group Policy

Understanding Group Policy

Group policies have two types of application: those that apply to the computer, and those that apply to the user. Computer-related group policies are always applied, regardless of what user account is used to log on to the computer. The user-related group policies apply to specific users. Security policies are applied to the computer and thus will apply to all users of the computer, including members of the Administrators group. By default, a local security policy is stored on and applied to each computer running Windows 2000 or Windows XP. In addition, you can implement Group Policy settings on a local computer, although local group policies are not stored in and enforced by Active Directory. Group policies are associated with site, domain, and OU containers in Active Directory in the form of Group Policy objects (GPOs).

A GPO can be associated with any site, domain, or OU, and the GPO can be linked to multiple sites, domains, or OUs. Conversely, a given site, domain, or OU can have multiple GPOs linked to it. In the event that multiple GPOs are linked to a particular site, domain, or OU, you can prioritize the order in which these GPOs are applied.

By linking GPOs to Active Directory sites, domains, and OUs, you can implement Group Policy settings for as broad or narrow a portion of the organization as you require, including the following:

• A GPO linked to a site applies to all users and computers in the site.

• A GPO applied to a domain applies to all users and computers in the domain, even if the users and computers are located within OUs in the domain. GPOs associated with parent domains are not inherited by child domains.

• A GPO applied to an OU applies to all users and computers located directly in the OU and, by inheritance, to all users and computers in child OUs.

The accumulation of GPO settings from site, domain, and OUs are applied. GPOs are stored on a per-domain basis. You can link a site, domain, or OU to a Group Policy object in another trusted domain, but this is not generally recommended for performance reasons. GPOs associated only with a site are stored in the forest root domain, and those policies will be retrieved from a domain controller in the forest root domain. Group Policy objects are applied in a hierarchical arrangement. By default, GPOs are cumulative and processed in the following order:

1. The local Group Policy object (LGPO) is applied.

2. GPOs linked to sites are processed.

3. GPOs linked to domains are processed.

4. GPOs linked to OUs are processed. In the case of nested OUs, GPOs associated with parent OUs are processed prior to GPOs associated with child OUs.

Computer-Related Group Policies

Computer-related group policies are specific to the computer and apply to all users of the computer. Computer-related group policies are applied during the startup phase of the operating system and are fully applied by default before the Windows Logon dialog box appears. Table 5-1 lists the types of computer-related Group Policy settings.

Table 5-1. Computer-Related Group Policy Settings

Group	Description
Software Installation	Enables software to be installed on nondomain controllers
Windows Settings	Enables security templates to be deployed and computer startup and shutdown scripts to be executed
Administrative Templates	Enables computer-related registry changes to be made

By using software installation policies, you can ensure that security-related software is installed on all computers on the network. For example, you might want to use a Group Policy object to assign antivirus software to all desktop and laptop computers in your organization.

You can import security templates into the computer configuration portion of Group Policy to deploy uniform security to computers on your organization s network. Table 5-2 describes the security settings in Group Policy.

Table 5-2. Security Options in Group Policy

Area	Description
Account Policies	Password policies, account lockout policies, and Kerberos policies
Local Policies	Audit policy, user rights assignment, security options
Event Log Settings	Application, system, and security event log settings
Restricted Groups	Membership of security-sensitive groups
System Services	Startup parameters and permissions for system services
Registry	Permissions for default registry keys
File System	Permissions for folders and files

You can use Windows settings to run scripts at the startup or shutdown of a computer. Startup scripts execute before the Security dialog box appears, and shutdown scripts run after the user has logged off but before services cease.

Administrative templates are settings that configure the Windows 2000 and Windows XP registries. In addition to the administrative templates included by default, you can import custom settings by creating and importing .adm files. In contrast with using Windows NT system policies, when you use Group Policy, policy settings made through administrative templates do not tattoo the registry and are applied immediately, rather than after one or more reboots.

Security templates are discussed in detail in Chapter 11, Configuring Security Templates.

Preferences vs. Policies

Registry policy or .adm templates take the form of policies (registry entries under the special keys) or preferences (registry keys anywhere else). The .adm files are used to apply policies or preferences. We recommend you use policies rather than preferences. Policies do not tattoo the registry. If you use a GPO to deploy policies and preferences, when the GPO is removed, the policies will be removed. However, the preferences will remain. Preferences are not refreshed unless the GPO changes. Users can change their preferences, and these preferences will not be restored until Group Policy changes and the GPOs are reapplied. Policies, on the other hand, are given an access control list (ACL) in the registry so that users cannot change them.

If you must use preferences, you need to add them via the .adm file. By default, if nothing changes at the GPO, nothing will be applied to the client computer (assuming the client has received the policy in the past).

Computer-related policy settings are stored in the registry hive HKEY_LOCAL_MACHINE (HKLM), and user-related policy settings are stored in the registry hive HKEY_CURRENT_USER (HKCU). In each of these registry hives, Group Policy settings are stored in these two registry keys:

• \Software\Policies (preferred location)

• \Software\Microsoft\Windows\CurrentVersion\Policies

User-Related Group Policies

In addition to the computer-related group policies applied to the computer a user logs on to, user-related group polices are applied to specific users. By default, user-related group policies are applied immediately after the user s credentials are successfully authenticated but before the user gains control of the Windows Explorer shell. Table 5-3 describes the various types of user-related group policies.

Table 5-3. User-Related Group Policy Settings

Group	Description
Software Installation	Enables software to be assigned or published to a user
Windows Settings	Enables security templates to be deployed and user logon and logoff scripts to be executed
Administrative Templates	Enables registry changes to be made for the user

Software can be deployed to users in two ways: they can be assigned, or they can be published. Software packages assigned to a user will be advertised in the Start menu and will be installed on the computer only if the user chooses to use the application or invokes the application by attempting to open a file with the default file type that the application uses (if this option is enabled in the policy). Software can also be published to the user. Published software will appear in the Control Panel under Add/Remove Programs. Published software can also be installed by document-based invocation, if enabled.

Applications installed by using Group Policy Software Installation policies will only install the application s core files once per computer if multiple users of the computer have the same application assigned or published to them. The application information unique to each user will be written to the Application Data folder in the user profile or the HKEY_USER (HKU) registry hive for the user.

The Windows Settings for users contains options for configuring logon and logoff scripts, folder redirection behavior, Microsoft Internet Explorer settings, Public Key Infrastructure (PKI) enterprise trusts, and Remote Installation Services (RIS) settings. The Administrative Templates settings for users function similarly to the settings for computers.

Before deploying Group Policy objects, you should test the settings in a test environment to ensure that the GPOs do not prevent users from completing tasks required by their job function. If possible, you should also conduct a pilot deployment in the production environment.

Using Group Policy Containers

All computers running Windows 2000 and Windows XP have a local GPO that defines the default configuration of the computer. The local GPO applies to all users of the computer. In addition, if the computers are members of an Active Directory domain, you can deploy GPOs to all computers in a site, domain, or OU.

The Local Group Policy Object

You can configure a local Group Policy for any computer, regardless of whether it is a member of Active Directory. To configure the local Group Policy object (LGPO), use the Group Policy MMC snap-in and select to focus on the local computer. The local Group Policy editor is shown in Figure 5-1.

Figure 5-1. Configuring the LGPO

Group Policy is processed in this order:

1. Local Group Policy object

2. Site GPOs

3. Domain GPOs

4. Organizational unit GPOs

5. Nested organizational unit GPOs

The LGPO cannot be filtered by a user account. Unlike Group Policy objects in Active Directory, there is no discretionary access control list (DACL) permission named Apply Group Policy; there is only the Read permission. User accounts need the Read permission to either read the Group Policy object settings or have them apply to the logon session. The Apply Group Policy permission is checked during Group Policy processing. If the user has this permission on the Group Policy object, it will be processed.

Site Group Policy Objects

Group Policy objects that are linked to site containers affect all computers or users in a forest of domains that have membership in the site. Computers running Windows 2000 and Windows XP are automatically members of the Default-First-Site-Name site unless other sites and subnet objects have been defined. Site information replicates to all domain controllers in the forest. Therefore, any Group Policy object that is linked to a site container is applied to all computers in that site, regardless of the domain. This enables a single GPO to span multiple domains but also results in cross-domain authentication because domain controllers must retrieve the policy from the domain in which it is stored. Because site GPOs can affect multiple domains, you must either be a member of the Enterprise Admins group or have been specifically delegated control to manage site GPOs.

Site GPOs are effective for managing settings that apply a group of computers that exist on the same high-speed communications channel. For example, you might want to assign Proxy Server settings in Internet Explorer by site or install antivirus software from a server on the same network as the computer.

Domain Group Policy Objects

Group Policy objects that are linked to a domain affect all computers or users in the domain. By default, two GPOs exist in each Active Directory domain:

• Default Domain Policy

• Default Domain Controllers Policy

The Default Domain Policy contains the default security policy for all computers in the domain and the account policies for domain accounts. The Default Domain Controllers Policy contains the default security policy for domain controllers and augments the security policy of the Default Domain Policy. For example, the Default Domain Controllers Policy prohibits nonadministrators from logging on interactively.

OU Group Policy Objects

One of the primary purposes of OU containers is to facilitate the deployment of Group Policy objects to users and computers. Unlike domains, OUs are flexible: objects, including security principals, can easily be moved between OUs, and OUs can be created and deleted without much consequence. You can create OUs that facilitate the application of GPOs based on the security needs of the users or computers. The domain controller s OU is the only OU created by default in each domain. Its purpose is to facilitate the deployment of the Default Domain Controllers GPO.