Understanding Group Policy

< Day Day Up >

---

For most users of Windows Small Business Server, the built-in groups and default group policy provide adequate protection against mischief and malice whether it comes from outside or inside the network. However, many networks require a few new policies to address specific needs or at least to tweak existing policies.

Group Policy was introduced in Windows 2000 and is the successor to the System Policy Editor in Windows NT. Like many very powerful tools, Group Policy can be treacherous to work with. It’s often difficult to get just the results you want without any odd side effects. So proceed with caution and never make a change without knowing how to undo it.

To add or change a Group Policy Object (GPO), you must have sufficient permissions. You needn’t log on as the administrator—instead, use Run As (described in Chapter 9).

Tip

Limit who can create and modify GPOs. Ill-considered changes can have far-reaching consequences.

As powerful as Group Policy is, it does not work retroactively. GPOs affect only computers running Windows 2000 or later. You must rely on share permissions for clients using other operating systems.

Under the Hood

Components of Group Policy

Group policy is an abstraction that consists of two parts, a Group Policy Container (GPC) and a Group Policy Template (GPT). Both parts are contained in a Group Policy Object (GPO). The GPO is what we work with directly. The GPO contains all the settings that can apply to users and computers, and when those settings are changed, the changes are made to the GPO. The two components of the GPO exist in different places.

The GPC is the Active Directory component of the GPO and includes sub-containers with version information, status information, and a list of which Group Policy extensions are employed in the GPO. It also contains some information used by clients, such as the software installation policy.

The GPT is a set of files in the SYSVOL folder on the server. When you create a GPO, the corresponding GPT folder structure is created automatically. The actual name of the folder for the GPT is the globally unique identifier (GUID) for the GPO—a number that is useful to the computer but is otherwise incomprehensible. To see the policy folder, look in %SystemRoot% \SYSVOL\sysvol\domain_name\policies. But do not change this folder in any way. Do your work on Group Policy through the Group Policy Management Console (GPMC) or Server Management.

In a GPO, most settings have three states: not configured, enabled, and disabled. Additionally, GPOs have two configuration nodes: Computer Configuration and User Configuration. In case of a conflict, the computer setting overrides the user setting.

Group policies are inherited and cumulative. When you associate a GPO with an Active Directory container, the Group Policy is applied to all computer and user accounts in the container.

Creating a Group Policy Object

The installation of Windows Small Business Server creates an Active Directory domain that comes with a default domain policy, a default Domain Controllers policy, and several policies specifically for Small Business Server. With some judicious adjustments to meet the needs of your own situation, you might never need anything else. When you need to set up a GPO of your own, you can follow these steps:

1. Choose Group Policy Management from the Administrative Tools menu to launch the Group Policy Management Console (GPMC). (GPMC is also under Advanced Management in the Server Management tool.)

2. In the console tree, expand the domain container, right-click Group Policy Objects and select New from the shortcut menu.

3. Type the name of the new GPO and click OK.

4. In the console tree, right-click the new GPO and select Edit to launch the Group Policy Object Editor.

5. Specify settings for the GPO. When you’re finished, close the Group Policy Object Editor.

6. In the Group Policy Management Console, right-click the domain name or the organizational unit this GPO is to be associated with and select Link An Existing GPO from the shortcut menu.

7. In the Select GPO dialog box, select the GPO to link and click OK.

   You can also right-click the domain or organizational unit and select Create And Link A GPO Here, to shorten the process by one step.

Tip

The fewer GPOs per user and per computer, the better. The processing of GPOs takes time, and too many of them can slow logons and logoffs. The number of settings within a GPO doesn’t have a negative impact—it’s the number of GPOs.

Tip

Avoid making changes to the default GPOs. Instead, create new GPOs that can easily be disabled.

Under the Hood

Inside the Group Policy Object Editor

When you edit a policy in the Group Policy Object Editor, you see that the editor displays two nodes: Computer Configuration and User Configuration. When you expand these nodes, you find that each displays extensions for Software Settings, Windows Settings, and Administrative Templates.

Use the Computer Configuration node to customize policies for computers on the network. These policies go into effect when the computer is turned on and the operating system starts. Settings in these folders apply to any user who logs on to the computer. For example, if you have machines in a training room for which you want to enforce a strict environment, the Computer Configuration node is where you make those settings.

The User Configuration node contains settings for customizing environments or setting policies for users on the network. User Configuration policies come into play when a specific user logs on to the network.

Deleting a Group Policy Object

To delete a Group Policy Object, right-click it in the Group Policy Management Console and select Delete from the shortcut menu. When you delete a GPO, all links to the GPO will also be deleted. Be sure that you are logged on to an account with sufficient permissions. Neither the Default Domain Policy nor the Default Domain Controllers Policy can be deleted.

Order of Inheritance

As a rule, Group Policy settings are passed from parent containers down to child containers. This practice means that a policy that is applied to a parent container applies to all the containers—including users and computers—that are below the parent container in the Active Directory tree hierarchy. However, if you specifically assign a Group Policy for a child container that contradicts the parent container policy, the child container’s policy overrides the parent Group Policy.

If policies are not contradictory, both can be implemented. For example, if a parent container policy calls for an application shortcut to be on a user’s desktop, and the child container policy calls for another application shortcut, both appear. Policy settings that are disabled are inherited as disabled. Policy settings that are not configured in the parent container are not inherited.

Order of Implementation

Group policies are processed in the following order:

1. Local Group Policy Object

2. GPOs linked to the site, in administratively specified order

3. Domain GPOs, in administratively specified order

4. Organizational unit Group Policy Objects, from largest to smallest organizational unit (parent to child organizational unit)

Exceptions to this order are GPOs with enforced or disabled links, GPOs with disabled user or computer settings, and organizational units (or the whole domain) set to block inheritance.

To see the order of precedence for GPOs for a domain or organizational unit, open Group Policy Management and in the console tree, select the domain name or the organizational unit. In the details pane, click the Group Policy Inheritance tab (Figure 10-16).

Figure 10-16: Viewing the order of precedence for the execution of GPOs.

To change the order of precedence, click the Linked Group Policy Object tab, select the link you want to move, and use the up and down arrow buttons to change the order.

Overriding Inheritance

Two options are available for changing how inheritance is processed. One option is to enforce a link (called No Override on computers without GPMC). When this option is set, child containers cannot override any policy setting set in a higher level GPO. This option is not set by default and must be turned on in each GPO where it’s wanted. To set the Enforced option, complete the following steps:

1. Select Group Policy Management from the Administrative Tools menu.

2. In the console tree, navigate to Group Policy Objects and select the GPO for which you want to enforce a link.

3. In the details pane, on the Scope tab, right-click the link to be enforced, and select Enforced from the shortcut menu (Figure 10-17).

Figure 10-17: Preventing inheritance from overriding settings on a GPO.

A second option is Block Inheritance. When you select this option, the child container does not inherit any policies from parent containers. GPO links set to Enforced can’t be blocked. To block inheritance, complete the following steps:

1. Select Group Policy Management from the Administrative Tools menu.

2. Right-click the domain or organizational unit for which you want to block inheritance and select Block Inheritance from the shortcut menu (Figure 10-18).

Figure 10-18: Blocking inheritance.

Explicit permissions take precedence over inherited permissions—even an inherited Deny. So if you explicitly grant access to an object, the inherited Deny does not prevent access.

Tip

Because these options can have unpredictable results, use Block Inheritance and Enforced sparingly.

Real World

Using Group Policy Scripts

A set of scripts addressing everyday tasks is included with Group Policy Management Console. They’re located in Program Files\GPMC\Scripts. Although the script names are generally self-explanatory, you must enter scriptname /? at a command prompt to see the parameters for using the script. For example, enter SetGPOCreationPermissions /? at a command prompt and this dialog box opens:

The scripts execute from the command line using Cscript.exe, so to run SetGPOCreationPermissions.wsf and thereby allow a designated group to create GPOs, you type

cscript \"program files"\GPMC\Scripts\SetGPOCreationPermissions.wsf

"Group Name"

Press Enter and the command window displays the following output:

To operate, many of the scripts require the library file Lib_CommonGPMCFunctions.js. If you move or copy scripts to another location, move a copy of this file to the same location.

Enabling and Disabling GPO Links

To check or change the status of a GPO link, complete the following steps:

1. Select Group Policy Management from the Administrative Tools menu.

2. In the console tree, navigate to the Group Policy Objects under your domain name and select the GPO.

3. On the Scope tab, links are listed and the status of the link is shown under Link Enabled. To change the status, right-click the link and select Link Enabled from the shortcut menu (Figure 10-19).

Figure 10-19: A check mark shows the link is enabled.

Finding Group Policy Links

With numerous GPOs on a network, it’s important to keep track of GPO links within the domain. To find out what links exist for a particular GPO, complete the following steps:

1. Select Group Policy Management from the Administrative Tools menu.

2. Right-click the domain name in the console tree and select Search from the shortcut menu.

3. In the Search Item drop-down list, select GPO-links.

4. Click Add and then click Search.

5. In the Search Results box (Figure 10-20), double-click a GPO to view its links and other settings.

Figure 10-20: Finding GPO links.

Setting the Scope of the GPO

A Group Policy Object applies to all the users and computers in the container with which the GPO is associated. Most GPOs default to applying to Authenticated Users—namely, everyone who can log on to the network. Inevitably, there are GPOs that should apply only to some. To filter the application of a GPO, complete the following steps:

1. Select Group Policy Management from the Administrative Tools menu.

2. Select the Group Policy Object you want to filter and click the Scope tab.

3. On the Scope tab in the Security Filtering section, click Add and locate the groups or users who should have the policy applied to them (Figure 10-21). Make your selection and click OK twice.

4. If Authenticated Users appears in the Security Filtering list on the Scope page, select it and click Remove. This ensures that the GPO is applied only to the groups or users you added.

Figure 10-21: Selecting the groups or users to which the Group Policy Object applies.

Disabling a Branch of a GPO

If a GPO has an entire node under User Configuration or Computer Configuration that’s not configured, disable the node to avoid processing those settings. This speeds startup and logon events for all users subject to that GPO. To disable a node, complete the following steps:

1. Select Group Policy Management from the Administrative Tools menu. In the console tree, right-click the Group Policy Object you want to change and select Edit from the shortcut menu.

2. In the console tree of the Group Policy Object Editor, right-click the GPO and select Properties.

3. On the General tab, select the check box to disable the User Configuration or Computer Configuration settings for this GPO.

4. Click OK when you’re finished.

The settings you disable no longer affect any object to which the GPO is linked.

Refreshing Group Policy

Policy changes are immediate, but they are not instantly propagated to clients. Client computers request policy only when one of the following occurs:

• The computer starts.

• A user logs on.

• An application requests a refresh.

• A user requests a refresh.

• A Group Policy refresh interval is enabled and the interval has elapsed.

By default, Group Policy refreshes in the background every 90 minutes with a random offset of 0 through 30 minutes (so not all computers request a refresh at the same time).

To change the Group Policy refresh interval, complete the following steps:

1. Select Group Policy Management from the Administrative Tools menu.

2. To add the setting to an existing GPO, right-click the GPO and select Edit. To create a new GPO, right-click the domain name or organizational unit and select Create And Link A GPO Here. Supply a name for the new GPO then right-click it in Group Policy Management Console and select Edit.

3. In the console tree, expand Computer Configuration, Administrative Templates, System, and then select Group Policy.

4. In the details pane, double-click Group Policy Refresh Interval For Computers.

5. On the Setting tab, select Enabled then supply the new settings. Click OK when finished.

Don’t make the interval very short because of the large amount of network traffic generated by each refresh.

Because policy can be set at several levels, when you look at a policy object, what you see is both local policy and the policy in effect on the system. Local policy and actual policy in effect might not be synonymous if the computer is inheriting settings from domain-level policies. If you make a policy setting and it isn’t reflected in effective policy, a policy from the domain is overriding your setting.

More Info

For more information, see “Determining Effective Permissions,” earlier in this chapter.

It’s also possible that the policy change hasn’t been refreshed since the change was made. To force a policy refresh for the local computer, open a command window and type:

gpupdate [/target:{computer | user}] /force

Tip

For details about the update parameters, open a command window and type gpupdate /?

---

< Day Day Up >