Group Policy Explained€¦ · Group Policy Explained Technical Seminars Spring 2010 ©2010 RM 3...

Group Policy Explained

Technical Seminars Spring 2010 ©2010 RM

1


Paul Semple

[email protected]

• “*Group Policy is+…the ability for the Administrator to state a wish about the state of their Users environment once, and then rely on the system to enforce that wish.”



2

• What is Group Policy?

• What is a Group Policy Object (GPO)?

• How do we (RM) manipulate GPOs?

• Inside a GPO.

• Management and Configuration of a GPO.

• How GPOs are applied.

• Caveat…

• “*Group Policy is+…the ability for the Administrator to state a wish about the state of their Users environment once, and then rely on the system to enforce that wish.”

What is Group Policy?

• Rules that can be applied to a machine every time the operating system starts up and users login



3

• Group Policies can:

–Configure user's desktops

–Configure local security on computers

–Install applications

–Configure Internet Explorer settings

–Redirect special folders

What is a Group Policy Object (GPO)?

• Group Policy Objects (GPOs) are collections of Computer and/or User specific settings

• GPOs are designed as a way to globally modify user and computer settings through a controllable and manageable central interface

How do we (RM) manipulate GPOs?



4

How do we (RM) manipulate GPO’s• User and Computer configuration in

Community Connect based on Group Policy

• Community Connect ships with ready made GPOs

• Community Connect applies Group Policies to the Establishments OU

• Allows for the integration of non-Community Connect machines into your Domain

Group Policy Administrative Tools

Group Policy Administrative Tools



5

Group Policy Objects in more detail

• Use the Microsoft Group Policy Management Console (GPMC.MSC) to view GPO configuration and settings

Managing Group Policy Prior to the GPMC

Group Policy Management Console

• Think of the GPMC as a one-stop resource for managing your Group Policy needs

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

(Only install on Windows® Server® 2003)





6

• The GPMC provides an overview of the content of a GPO

GPOs Under the Microscope

Inside a GPO• Divisions of a GPO (GPEDIT)• Computer Configuration

• User Configuration

• Administrative Templates — registry-based settings

• User Configuration settings modify HKEY_CURRENT_USER

• Computer Configuration settings modify HKEY_LOCAL_MACHINE



7

Polices are applied in a specific order

Community

Connect GPOsEstablishments

OU

Remember the acronym LSDOULocalSite

Domain Organisation Unit

GPOs are applied from the bottom up

GPOs are applied from the bottom up

•Last writer wins!



8

When is Group Policy Applied

• Start-up and Shutdown

• Logon and Logoff

• Defined Intervals

• Forced with GPUPDATE.exe

How Group Policy Affects Startup and Log On

• Computer Policies:

• The network starts.

• A list of GPOs is obtained for the computer

• If no changes have been made to the list of GPOs, or the GPOs themselves, then no processing will be done

• Computer configuration settings are processed. No user interface is displayed while computer configuration settings are being processed.

• Start-up Scripts run

• The user presses Ctrl+Alt+Del to log on

How Group Policy Affects Startup and Log On

• User Policies

• After the user is validated their profile is loaded

• A list of GPOs is obtained for the user

• Again…If no changes have been made to the list of GPOs or the GPOs themselves then no processing will be done

• User configuration settings are processed in the following order: local GPO, site GPOs, domain GPOs, and OU GPOs. No user interface is displayed while user policies are being processed

• Logon scripts run

• The operating system user interface set by Group Policy appears



9

User Policies

• 4 Standard CC4 User Types; each correlating to an AD GPO

Using Security Groups to Filter GPO Scope



10

Using Security Groups to Filter GPO Scope

• By default “Authenticated Users” have read and apply group policy rights.

• We (RM) refine this so that the appropriate GPOs are assigned to the appropriate users and computers

GPOs can be disabled• Entirely (for troubleshooting):

• Partially (performance):



11

GPO ComponentsGroup Policy Containers

• GPOs consist of two objects - a Group Policy Container (GPC) and a Group Policy Template (GPT)

–GPCs are stored in Active Directory

–View by enabling Advanced Features in AD Users and Computers, then System/Policies



12

GPO ComponentsGroup Policy Templates

• Group Policy Templates hold the policy settings that are applied to stations and users

• GPTs are stored in the file system of your domain controllers in:– %SystemRoot%\SYSVOL\sysvol\<DomainName>\

Policies directory

• Standard UserType

– 8978D66E-EA13-4D17-A389-A93785F5DBC2



13

• Which folders get populated depends on the GPO they relate to:

– The ADM Folder will be populated if the GPO is configured to specify custom registry settings

– The Machine Folder contains settings for the Computer part of the GPO – Registry.pol (can also contain GptTmpl.inf – security settings)

– The User Folder contains settings for the User part of the GPO – Registry.pol

• GPT.ini – records the GPO’s version number

How can I look at the registry.pol file contents?

• The registry.pol file contains the current set of registry policy settings defined in the computer or user portion of a GPO

• You can use the regview.exe tool provided in the Windows 2003 Resource Kit Tools to view the contents of any registry.pol file

What happens on the station?

• Client Side Extensions (CSEs) interpret GPOs and make the changes to the environment

• Called by Winlogon at computer startup, user logon and Group Policy Refresh Interval

• CSEs are DLLs - each responsible for a specific policy



14

What happens on the station?Extension DLL

Registry Userenv.dll

Disk Quota Dskquota.dll

Folder Redirection Fdeploy.dll

Scripts Gptext.dll

Software Installation Appmgmts.dll

Security Scecli.dll

IP Security Gptext.dll

EFS Recovery Scecli.dll

IE Maintenance Ledkcs32.dll

Slow link detection using Internet Control Message Protocol (ICMP)Some policies not applied if link considered slow (Folder re-direction / IE maintenance)

• On boot:

• Client (Winlogon) uses LDAP to search and build list of GPOs to be evaluated for processing using GPLINK attribute of container

• Each GPO then searched in AD to check whether the user or computer has permissions to process it

• Path to GPT and version also evaluated

• GPT.ini version number checked



15

Container

GPC

What happens on the station if a GPO changes?

• Stations keep a record of the version numbers of the GPOs they have processed:

– HKLM\Software\Microsoft\Windows\Currentversion\Group Policy\History (Computer Policies)

– HKCU\Software\Microsoft\Windows\Currentversion\Group Policy\<SID of User> (User Polices)

• The GP version in the registry doesn’t have to be smaller, it just has to be different

• Reflects the number of changes in the GPT and GPC, ensures they are in sync and, if not, initiates a policy refresh



16

Which Policies have been applied?

• Watermarks

– HKLM\Software\Policies\Research Machines\ Network Management\Computer Policies

– HKCU\Software\Policies\Research Machines\Network Management\User Policies



17

Speaking of SYSVOL…Group Policy Replication

• In a domain that contains more than one domain controller, Group Policy information propagates, or replicates, from one domain controller to another

ADM Templates

• Used to populate the Administrative Templates folder in Group Policy Editor

• D:\RMNetwork\RMManage\Type Manager\ADM

• Removal will not affect policies already defined

Policies and Preferences

• A “policy” is a registry setting that lives either under \Software\Policies or \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies in the registry (in HKLM for machine policy settings and HKCU for user policy settings).

• All other registry values are called preferences.

• Policies Do not "tattoo”.



18

• 3rd party apps often not coded to take advantage of “volatile” registry areas

• To use GPOs to control these apps create a custom adm file:

– http://support.microsoft.com/kb/225087

• To view ADM files which set “preferences” remove tick from “Only show policies which can be fully managed”

• Red for Preferences, Blue for Policies

What can’t GPOs do….and what else can they do?

• GPOs cannot control applications that do not store their settings in the system registry

• GPOs can give us control over desktop, control panel access, Start Menu and Taskbar, Windows components, and more…

• GPOs can enforce security

• GPOs can redirect My Documents

– Aids in backup

– Allows creation of a standard desktop for multiple users

http://support.microsoft.com/kb/225087



19

Software Restrictions



20

Software Restrictions

• Allows you to control what programs can run on the computer

• File rules (also know as “hash” rules) – a cryptographic finger print

• Path rules – allow or disallow all programs within a folder

Summary

• A Group Policy Object is an object in Active Directory used to configure and apply settings for user and computer objects

• Two default GPOs created when Active Directory is installed:

– Default Domain Policy

– Default Domain Controllers Policy

Summary

• Mechanisms for managing GPOS:

– GPMC

– GPEDIT

– RMMC

• GPOs can be used:

– to control user desktop settings and security settings

– to apply scripts on user logon and logoff and computer startup and shutdown

– for folder redirection



21

Summary

• GPOs are applied in a specific order

• GPOs are inherited by default

– Can be changed by blocking Group Policy inheritance, configuring No Override, or filtering using user permissions

• A GPO is a combination of the GPT and GPC.

Need to know more?

• http://www.microsoft.com/grouppolicy

• http://www.microsoft.com/windowsserver2003/gpmc

• GPOs Hardcore seminar session!

http://www.microsoft.com/grouppolicy

http://www.microsoft.com/windowsserver2003/gpmc

Group Policy Explained€¦ · Group Policy Explained Technical Seminars Spring 2010 ©2010 RM 3...

Documents

Transcript of Group Policy Explained€¦ · Group Policy Explained Technical Seminars Spring 2010 ©2010 RM 3...